The point I'm making is that people have to create defects in the first place. Contrary to some claims on these threads, most code does have a finite amount of exploitable defects.

Ah right, got you now. I was referring to the scalability issue.

Of course the great thing about code defects is that updates are just as good at introducing new bugs if the developers don't have proper security processes in the first place.

The large strategic moves major vendors like Microsoft, Adobe, Google, and especially Apple with the IOS platform seem to be doing a good job of killing whole subclasses of vulnerabilities, and of driving up the cost of exploitation (above and beyond flaw discovery).

Your point about software maintenance introducing a continuous stream of new flaws is well taken, but ultimately I think vendors who take this problem seriously are in a very good position to do something about it.

You're right. The bigger boys are in various stages of getting it together, it's the ones that don't seem to have immediate column-inch impact (Oracle, SAP etc.) that aren't quite there yet, and then you've got everyone else who lack the resources or interest to pull it off.

An again economics is firmly in our corner here, since the effort to build exploits for exotic targets isn't that much less than the effort to target e.g. Android... but the incentive to build those exploits is far lower.