CVE-2026-28952 is about an integer overflow due to lack of input validation. I wonder what makes such vulnerability difficult to discover by traditional SAST tools?

Fuzzing, dynamic analysis or DAST might have found it too.

Assuming Apple has deployed all of these and have invested in the labor/training on how to properly use them.