For decades software vendors have got away with pushing products and services to market that are insecure – think hard-coded credentials, rudimentary security flaws like simple buffer overflows or SQL Injection bugs, which could and should have been spotted in testing before release.
Sometimes these get pointed out by white hats. Often they get leaped on and exploited for monetary or geopolitical gain by cybercriminals or hostile nation states. Occasionally they get spotted belatedly internally.
But by and large, “oops our shit is broken again” ends up being a problem downstream and not the headache that it arguably should be for vendors.
