I will add this though. I once worked on the UK government Trusted Software Initiative.

We concluded that small companies just don't have the resource to secure things well. The only way we could move the needle at all was by better security training and awareness in the short term. But the fundamental economic point remains the same, and certainly magnified by vibe coding.

On the flip side, we can start using AI to find security problems too.