The vulnerability looks like a failure on the dev team's part.

The patching cycle can become a problem for certain operations / industries.

Everybody hates the work, and security is often seen as a barrier and a cost center, not a driver or revenue.