Interesting concept - but code and bugs should be separated...
As an application delivery engineer I dread the concept of introducing (lookalike) bugs at the code level.
However, it would be interesting to configure an application delivery controller (ADC) to respond to probes with bug-like 'features'.
That would keep the code clean, allow implementation of these 'bugs' without involvement from dev and/or app vendors, and still provide troubleshooting/validation without running into the security bugs.
It would, however, cause madness with security teams running (external) scans. I already have to 'patch' non-existing vulnerabilities because the security team's audit scan fails. Quick example: a scan from a well-known security scanning firm sent OpSec into a mad spin because a request to /xyz.cgi resulted in a 200 OK... At times I wonder if Don Quixote secretly is the patron of OpSec, but I digress.