Re: Pretty bloody good if you ask me
Claptrap! Any deviation from expected or intended function is a potential vulnerability (or opportunity from an attackers viewpoint). The key message is that you only need a single critical exploitable bug in ANY system, no matter how simple or complex. The fact is that more complexity invites more opportunities for bugs and 17 per million lines of code seems very high quality to me. Software defects are almost always security defects it's just a case of how exploitable they are over time.