BTW I'd respond to the other threads but HN seems to object to deep threads.
On "flaws fixed rather than concealed" sure in a perfect world they do, but limited resources == prioritization and some systems and packages inevitably get left behind, insiders know which those are..
What do I, as a user and customer of software, care why companies harbor known security flaws (that, after all, is what you're talking about)? Hope is not a strategy. Those flaws are going to be discovered whether or not insiders leak them.
I'm not sure where I said hope was a strategy, I said insiders might have information that's of value to attackers (unless I got my threads mixed here)
On "flaws fixed rather than concealed" sure in a perfect world they do, but limited resources == prioritization and some systems and packages inevitably get left behind, insiders know which those are..