[rigid]

I bet in the majority of cases, there's no need to pressure for merging.

In a big company it's much easier to slip it in. Code seemingly less relevant for security is often not reviewed by a lot of people. Also, often people don't really care and just sign it off without a closer look.

And when it's merged, no one will ever look at it again, other than with FOSS.

[yborg]

An insider could just be tasked to look for exploitable vulnerabilities in existing code and compile this information for outside entities without ever having to risk inserting a purpose-made backdoor. Considering the security state of most large codebases, there would be a bottomless well of them.

[91bananas]

Who wants this job, that is capable of actually doing it properly?

[sylware]

I think you nailed it.