"The underlying issue is that security is hard and in general there is no feedback loop except security incidents."

this is tbh, computer architecture is already hard enough and cyber security is like a whole different field especially if the system/program is complex