I really do not follow what you are trying to convey here.

If there are vulns, and you are using software from nixpkgs, there are tools to get yourself notified about vulnerable packages.

If you want to run vulnerable software on-demand, you can just boot the machine/vm up when needed? If you want to patch stuff yourself, nix makes it trivial to apply your own patches to already packaged software.