What stops someone from designing a blue team technique that is just red team techniques applied to your own product prior to release? I suspect MS does exactly that, but red team productivity varies.
This is known as "purple teaming". You have security team segments actively trying to attack your own systems, using both established tooling/techniques, but also developing bespoke attacks that are specific to your systems.
Then, and this is crucial, they not only teach the blue team from their findings - they also rotate out to blue teams, to become the defenders themselves. At the same time, some of the blue team rotates in. Rinse and repeat. The whole point is that you have to understand both sides properly, and continuously work with the teams involved. Otherwise you're nothing more than a consultant.
Nothing stops that; it is one of the most routine things you could do. NCC Group exists to provide this service. HackerOne exists to provide this service. Having an external team periodically attempt to penetrate your defenses is legally required for anyone who processes payment card information (in the US; I don't know what PCI requirements are like elsewhere).
Then, and this is crucial, they not only teach the blue team from their findings - they also rotate out to blue teams, to become the defenders themselves. At the same time, some of the blue team rotates in. Rinse and repeat. The whole point is that you have to understand both sides properly, and continuously work with the teams involved. Otherwise you're nothing more than a consultant.