What I'm trying to get at here is that security is not just "bugs". Nowhere in the excel macro hell that is my job are there any bugs. Using a macro to transfer money in and out of peoples accounts in bulk is bad design, It's insecure, and i have at times argued that it's unethical, but it is also not a bug, It's exactly how the system was designed to work. Edge was designed to embed an Internet Explorer OLE frame, and that frame was designed to have an IE7 compatibility mode. No part of that would count in the "70% of bugs" list.

Moreover, almost no bugs are discovered in the actual reasonable software we have. That's not because we are the best engineers, or because we write it with the utmost care and attention to detail. It's because we're a total of 5 people (mostly a couple of years out of uni) looking at it. C, and other systems programming languages are greatly overrepresented in the corpus of software that is actually being combed through for bugs. Java and Cobol are heavily underrepresented.

I want to make this clear again. I work in banking. If 2008 showed us anything it's that banking underpins most of our modern society so these quality issues are not unimportant, they can be devastating.