Nah it's overwhelmingly the former, as far as what project Glasswing has focused on. It's finding vulnerabilities in code that was written years (in some cases decades) ago. Browsers, Linux Kernel, etc.
That's not to say that we aren't introducing new bugs, but I'm only addressing Mythos and Glasswing.