um artigo que discute essa ideia:
Shin, Y. and Williams, L., Is Complexity Really the Enemy of Software Security?, Quality of Protection Workshop at the ACM Conference on Computers and Communications Security (CCS) 2008, Alexandria, VA, pp. 47-50.
Software complexity is often hypothesized to be the enemy of
software security. We performed statistical analysis on nine
Mozilla application framework to investigate if this hypothesis
is true. Our initial results show that the nine complexity
measures have weak correlation (ρ=0.30 at best) with security
replicated on more products with design and code-level metrics.
It may be necessary to create new complexity metrics to
embody the type of complexity that leads to security problems.