[EE84M3i]

I don't think there is a general consensus in the security community that finding bugs is easier than writing exploits.

[solenoid0937]

It definitely is. You can use all sorts of vuln scanners to find vulns. Most codebases have vulns, and most vulns aren't even reachable. The hard part is chaining them together in a fire-and-forget exploit that gets you what you want from the target.

[Guvante]

Isn't breaking the sandbox the hard part?

RCE is effectively "can run code" which is just JavaScript if you ignore the sandbox.