alt Hacker NewsThe most difficult part is always to find the vulnerability, not to fix it. And most people who are spending their days finding them are heavily incentivized to not disclose.
Automatic discovery can be a huge benefit, even if the transition period is scary.
Hopefully such automation also covers fixing instead of giving open source devs headaches, like the one over some obscure codec from the 90's.
Nevertheless, attacking is a targeted endeavour, unlike defense. Fixing is, in _general_, more difficult in theory.
* reference to past google and ffmpeg incident