Volume 10 of the Veracode “State of Software Security” report makes one fact abundantly clear: there’s no shortage of security flaws to be fixed in the applications we use every day. So many, in fact, that it’s virtually impossible to address them all, which raises the question: how do you prioritize what to fix?
One enemy when it comes to fixing flaws is recency bias. The report shows if a flaw isn’t fixed within the first month of its discovery, the chance it will ever be addressed falls dramatically – to 10% in the second month and down from there.
What's the real problem? Developers don't want to review or fix old spaghetti code written by someone else.