Compare to the cost when said vulnerabilities are exploited by bad actors in critical systems. Worth it yet?