Even after all these years the software industry seems to be ever in a state where we believe that if vulnerability exists but is unknown to the public it cannot be exploited, so our software is “practically secure.” In theory this is true, but the problem is that once someone finds the vulnerability, the finder may just exploit the vulnerability instead of reporting it or helping to fix it. Having “hidden” vulnerabilities doesn’t really make the vulnerabilities go away; it simply means that the vulnerabilities are a time bomb, with no way to know when they will be exploited.
Security is a fascinating subject even for uninitiated not to mention Bruce (who makes money with it no slower than the US Treasury printing presses) that may be looked at from different perspectives and talked about in several management dialects, including McKenzie (I do not speak it but I can understand it in a round-about sort of ways). Talking about security often gives you a cozy feeling. And all those diagrams, tables and, oh my, vectors and mitigations, they are so neat and kosher… until someone starts asking hard questions. Pray this someone is not your customer.