> I cannot wrap my mind around why people think finding vulnerabilities is bad. The code already was broken before somebody published the vulnerability. The difference now only is that you know about this.

I don't think anyone is saying that here.

I think the net result is "wow, we're going to end up a lot more secure in several months, but things are going to feel sucky because stuff just got A) way easier for the average bad guy, and B) way busier on the fixing side."

I think it's likely we end up with an equilibrium with a lower rate of bug discovery than we're used to, but we need to experience an above average rate for a long while first...