Are we assuming, all tests pass == software done?

Do Firefox not have tests? Then how was there over 200 CVEs found?

Are we going to be comfortable running a piece of software that has 1M lines, and who knows how many zero-days will be in it.

Yes, sure they are going to use LLM to find the CVE's, and so will the hackers. You need a day or two to fix the security issue, a hacker just need to put it in use.

And good luck debugging a million line code base.

1M LOC == already failed.