[xeyownt]

One defender, many attackers, I don't see how the economy of scale can be positive for the defender.

Assuming your code is inaccessible isn't good for security. All security reviews are done assuming code source is available. If you don't provide the source, you'll never score high in the review.

[throwawayqqq11]

I think automated scanning can be positive for the defenders, when the rate of introducing new vulnerabilities vs fixing old ones is < 1 (detection rate + infra is a factor too ofc). In that case, AI can become the many eyes to check FOSS and those projects will eventually reach a "secure" state.

[goodpoint]

It's the opposite, the economy of scale favors defense.