alt Hacker NewsRegarding 1 and 2, my pity is mild if this requirement forced companies to follow principles of secure software development, configuration and deployment. Injecting stuff from deployment config is not hard.
3 is valid and can be tricky, as it would depend on when in the software lifecycle the release would be mandatory. If it's in a wind-down or bankruptcy situation, it would be tricky. Though that discussion is similar to the responsible disclosure discussion, isn't it? Exploiters usually already know them.
Try open sourcing a code base that is built up over the last 15 years and most of the devs no longer work there. Thats what you’re asking for many online games.
Not to mention open sourcing the code will subject the company to legal liability if there’s something weird in there like discrimination of some form.