[TomSwirly]

No, there is in fact a qualitative difference between a program where the expected number of CVEs is 1, and one where the expected number of CVEs is 0.02.

[saagarjha]

Yes, there are fewer CVEs. So?

[oasisaimlessly]

Are you being purposely dense?

If the mean number of CVEs is low enough, some proportion of software has 0 exploitable flaws, and is invulnerable regardless of how much attackers spend.

[saagarjha]

I consider that most software that people use is sufficiently complex enough that it will not fall in this bucket.