
Before ransomware gangs became billion-dollar criminal enterprises, before nation-state hackers started treating America's infrastructure like a proving ground, and before every company hired an army of cybersecurity consultants, someone made a very expensive decision.
They shipped the software anyway.
That, in a nutshell, is the dirty little secret of modern cybersecurity. We like to blame the hackers. We lecture users about weak passwords. We invent catchy slogans about cyber hygiene. We mandate another round of employee training where Bob from accounting learns — again — not to click the attachment promising free Taylor Swift tickets.
Meanwhile, the people who actually wrote the vulnerable software quietly release another patch.
Welcome to the age of "patch and pray."
It's an odd business model when you stop to think about it. Imagine if your refrigerator manufacturer emailed you every third Tuesday to announce that thieves had discovered a flaw allowing strangers to steal everything in your kitchen unless you downloaded Firmware Version 18.6 before lunch.
Or suppose Ford announced that the brakes on your F-150 would occasionally stop working, but don't worry, a fix is available. Just install it sometime this week. Assuming hackers don't weaponize the flaw first.
Congress would hold hearings before sunset. Yet in software, we've somehow accepted this as normal.
Every Patch Tuesday has become something of a national holiday for IT departments. Security teams brew another pot of coffee, review hundreds of pages of vulnerability disclosures, prioritize emergency updates, test compatibility, deploy fixes, hope nothing crashes, and then wait for next month when the whole circus rolls back into town.
The software industry has convinced us that this is simply the cost of living in a digital world. It isn't. It's the cost of decades spent rewarding companies for shipping products quickly instead of shipping them securely.
To its credit, the Cybersecurity and Infrastructure Security Agency has begun challenging that mindset through its Secure by Design initiative. The concept is almost embarrassingly straightforward: Software companies should build products that are secure before customers install them instead of relying on customers to compensate for insecure engineering afterward.
Imagine that. Security built into the software. A revolutionary idea.
The problem is that Secure by Design largely remains voluntary. That's a wonderful approach if you're organizing a neighborhood potluck. It's considerably less effective when defending power grids, hospitals, financial institutions, and government networks from hostile nation states.
Voluntary cybersecurity is a little like voluntary speed limits. The people already doing the right thing will continue doing it. Everyone else keeps driving ninety.
It's time to retire the industry's favorite liability shield. Software manufacturers should bear legal responsibility for preventable security failures that stem from negligent development practices. Not every vulnerability can be eliminated. Nobody expects perfection. But there's an enormous difference between sophisticated zero-day research and bugs that survive because security testing took a back seat to quarterly earnings.
Today, the incentives remain backward. A company ships vulnerable software. Customers buy additional security products. Consultants charge to secure it. Insurers write cyber policies. Incident response firms clean up the breach. The software vendor issues a patch. Everyone gets paid except the customer.
If another industry operated this way, congressional committees would be lining up television cameras before breakfast.
The consequences aren't theoretical. Recent CryptoClipper campaigns demonstrate just how effortlessly criminals capitalize on weak systems, silently replacing cryptocurrency wallet addresses and redirecting funds while victims remain blissfully unaware until their money disappears. Likewise, newly disclosed vulnerabilities such as CVE-2026-50656 illustrate a familiar story: another flaw, another emergency advisory, another race between defenders trying to patch and attackers trying to exploit.
The cycle has become so predictable it practically has seasons. Spring allergies. Summer vacations. Fall football. Winter ransomware.
Of course, secure software alone won't solve every problem. Organizations still need layered defenses. Zero Trust Architecture has emerged as one of the smartest evolutions in enterprise security because it assumes compromise is always possible. Every user, every device, every request earns trust instead of inheriting it.
That's exactly how modern networks should operate. But Zero Trust was designed to defend against sophisticated adversaries — not compensate for software that should have been written properly in the first place. Even the best locks lose some value if the builder forgot to install half the walls.
The federal government possesses perhaps the strongest incentive available, and it doesn't require creating an entirely new bureaucracy.
Washington buys a staggering amount of software. Start there. If a company wants federal contracts, Secure by Design shouldn't be an aspirational slogan tucked into its marketing materials. It should be a legal requirement backed by measurable engineering standards. Federal procurement has shaped everything from aviation safety to fuel efficiency. It can reshape software development just as effectively.
When Washington changes the rules, markets usually follow. That's particularly important as artificial intelligence accelerates both software development and cyberattacks. CISA has already conducted AI-focused cyber incident exercises, recognizing that tomorrow's threats will move faster than today's response playbooks. That's encouraging. Planning matters.
But we cannot tabletop-exercise our way around software that arrives riddled with avoidable vulnerabilities. Eventually, cybersecurity must stop treating the customer as quality assurance.
The average business owner isn't a penetration tester. Hospital administrators shouldn't need vulnerability management degrees to operate medical equipment. Local governments shouldn't require war rooms every time a software vendor discovers another critical flaw.
Consumers didn't write the code. Manufacturers did. For years, we've accepted a digital economy built on patches, apologies, and promises to "do better next release." That's not innovation. That's deferred responsibility wrapped in release notes.
The era of patch and pray has lasted long enough.
It's time software manufacturers stopped treating cybersecurity as someone else's problem — and started treating secure code the way every other industry treats product safety: as part of the job.
Editor's Note: Do you enjoy PJ Media's conservative reporting that takes on the radical left and woke media? Support our work so that we can continue to bring you the truth.
Join PJ Media VIP and use promo code FIGHT to receive 60% off your membership.
Julio Rivera is a business and political strategist, cybersecurity researcher, founder of ItFunk.Org, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, is regularly published by many of the largest news organizations in the world.
Recommended
Trending on PJ Media Videos

California Election Fraud Explosion Catches Dems in the Act