vulnerabilidades são defeitos?

Um excerto interessante do livro "Beautiful Security". A citação é tirada do capítulo de Jim Routh (pg 189) que explica o processo de segurança de software que o próprio concretizou numa grande empresa:

"But some team leaders were not playing along. They were unwilling to relax schedules or use the productivity factor to offset the increased time needed to fix identified vulnerabilities [using static analysis tools]. They prefered to allocate time and budget to creating functionality rather than improving the vulnerability risk score of the their team's code. In effect, the team leaders conveniently assumed that security vulnerabilities were not defects and could be deferred for future enhancements or projects." [sublinhado meu]