Eighty-one percent of organizations knowingly ship code with vulnerabilities.
Let that sink in. Not "accidentally." Not "unknowingly." Knowingly.
That stat comes from Checkmarx's 2026 Future of AppSec survey of over 1,500 CISOs, AppSec managers, and developers worldwide. And when I first saw it, I had the same reaction you probably did: What the hell is wrong with these teams?
But that reaction is wrong. And if we keep having it, we'll keep solving the wrong problem.
The Conventional Take
The industry narrative around this stat is predictable. Headlines frame it as moral failure. Reckless developers. Negligent leadership. Teams that just don't care enough about security.
The supporting data seems damning. 33% of respondents admitted they "hope vulnerabilities go undiscovered." Thirty-eight percent push insecure code specifically to meet deadlines.
Read those stats, and the solution seems obvious. Let's invest in more training, more tools, and more accountability. Shame teams into caring! Buy another scanner. Mandate security reviews.
We've been doing exactly that for a decade. And the number went from 66% in 2024 to 81% in 2025.
So maybe the conventional take is missing something.
The Reframe: Capacity, Not Character
Here's what I think is actually happening. These teams aren't ignoring vulnerabilities. They're triaging under impossible constraints.
Consider what "knowingly" actually means in this context. It doesn't mean teams see a critical vulnerability and shrug. It means they see a dashboard full of findings, know some percentage are real risks, and ship anyway—because the alternative is shipping nothing.
The Veracode/ESG survey puts numbers to this. 54% cite deadline pressure as the reason they ship vulnerable code. Forty-five percent find vulnerabilities too late in the development cycle to fix them.
These aren't moral failures. They're process failures. They're capacity failures.
Here's the stat that crystallized it for me. Developers only get to 32% of known vulnerabilities. Not because they're lazy or incompetent. Because there are only so many hours in a sprint, and vulnerability remediation competes with feature development, bug fixes, technical debt, and everything else on the backlog.
When your team can only address a third of what's found, you're not making a choice to be negligent. You're making triage decisions under resource constraints that actually could be solvable.
The Evidence Stack
If this were isolated negligence, the numbers would be stable or declining as awareness grows. Instead, they're accelerating.
Meanwhile, 98% of organizations experienced a breach stemming from vulnerable code in 2025—up from 91% in 2024 and 78% in 2023. Security investment is at record highs. Tool adoption is at record highs. And breach rates keep climbing.
Forty-two percent of developers push vulnerable code at least once a month. This isn't exceptional behavior. It's routine. It's the operating norm for nearly half of all development teams.
We've gotten exceptionally good at finding problems and made almost no progress on fixing them.
What Actually Helps
If this is a capacity problem, then the solution isn't more detection. We're drowning in detection. Another scanner finding another thousand vulnerabilities doesn't help teams that can only address a third of what they already know about.
The organizations making progress are the ones investing in remediation capacity—not just finding more, but fixing more. That means:
Prioritization that actually prioritizes. Not every vulnerability is equal. CVSS scores don't account for your specific environment, your authentication boundaries, your defensive layers. Teams need to know which of the thousand findings actually matter in their context.
Automation that multiplies human effort. If developers can only get to 32% of vulnerabilities, the leverage isn't in pushing them harder. It's in making each hour of remediation work go further. Automated fixes, automated triage, automated validation.
Process changes that shift left without shifting blame. Finding vulnerabilities earlier only helps if teams have capacity to address them earlier. Otherwise you've just moved the bottleneck.
The organizations succeeding aren't the ones with the most tools or the strictest policies. They're the ones that have honestly assessed their remediation capacity and invested in expanding it.
The Uncomfortable Question
We've spent twenty years optimizing for detection. We've built an entire industry around finding vulnerabilities. And we've created a capacity crisis where teams literally cannot keep up with what we're finding.
That's not a people problem. That's a systems problem. And it demands a systems solution.
Until we're willing to have that conversation honestly, the 81% isn't going down. It's going up.
