As fatiguing as legal breach notices are to lay people, it's equally frustrating as a dev because security is not a distinguishing feature we can advertise in our product so we can't prioritize it at all. Let the lawyers figure it out later seems to be best practice now.

And of course vuln finding is now automated so even if we do a good job locking it down this morning, nothing will not keep out the next wave tonight.

Plus, our current political atmosphere encourages digital chaos, for example gutting CISA.