That's very interesting. I had never thought this, yet after you explain it, it makes perfect sense.

I wonder if there's yet another effect at play, which is that memory-safe wrappers/bindings force the underlying C/C++ code to get clear about its own semantics. This came up in the recent Rust-in-the-Linux-kernel kerfuffle, because it can feel *insulting* to existing C coders...

That’s right things to do instead of rewriting everything. There are orgs and OSS projects haven’t integrate sanitizers/fuzzing into the QA process even though those tech exits more than a decade.

Good writeup. Agree that vuln prevention > discovery > response. Curious about 1. How is "old" vs "new" code designated? 2. How is a specific vuln connected to only old or new code? Or am I misunderstanding 3. No counterfactual here right? ex to find/fix vulns in the old code

This is true for any desired change of programming practice.