[TheDong]

There is a difference between the cat-and-mouse game of spam fighting and between fixing vulnerabilities.

Typically, when you fix a vulnerability, things are strictly better. Attackers can no longer do X bad action, but all legitimate users can still do everything they wanted.

Spam fighting is different. If you make your spam classifier broader and broader, it will have more and more false positives as well, and legitimate comments will get deleted too. Without AGI, or at least very good language parsing, it really will be a case of tuning between "more false positives, less spam" and "fewer false positives, more spam".

There's also vastly more spam than there are security vulnerabilities since there are hundreds of thousands (millions?) of people intently creating spam for profit, while bugs are mostly accidental, and exploitable ones relatively rare.