But don't we know that some of the vulnerabilities being discovered predate ai coding?

It's likely varies enormously between projects. Linux remains extremely low in slop, and the vulnerabilities being fixed are quite old, so it's improving. Many vibe coded projects are very sloppy, and are adding a lot of vulnerabilities.

Total number of vulnerabilities likely goes up over time weighting all projects equally, but goes down over time weighting by usage.

> That's correlation, not causation.

Pragmatically, correlation *is* evidence of causation in favour of the best explanation, until somebody finds a better explanation.

> It could equally be argued that the AI slop that's being produced makes for a lot more vulnerabilities being shipped.

This is also true, and does not exclude the other, because for the moment the vast majority of production software in the world (and therefore the bulk of enticing targets) was written before AI. If LLM software will become prevalent in commercial setups, then LLM-generated code will eventually become the majority of targets.