I think that there are, practically, infinite vulnerabilities in common and critical software - browsers, operating systems, etc. So discovering all of them is not tractable, and even if we 100x our rate of discovery it won't matter.

> In either case, do you think that this was also true pre-AI? That is to say: it was not possible to, given some set of practical resource constraints, find and fix all the vulnerabilities that a similarly-resourced group would find?

Yes.

> If so, then would you say that you just fundamentally don't believe in secure software and the only defense is lack of attention?

I believe in security software, few people are building it though and the majority of relevant attack surface is dogshit for security.

Squashing vulns via discovery is irrelevant to security. If we want safer software it has to be built to be safer.