Why Companies Don't Fix Vulnerabilities: The Math Is Brutal

On May 1, 2024, the chief executive of a four-hundred-billion-dollar healthcare company sat in front of the Senate Finance Committee and confirmed, under oath, that the attackers got in through a Citrix remote-access portal (the kind of web login page employees use to reach internal systems from home) that didn’t have multi-factor authentication (MFA) on it.^[1] Senator Thom Tillis, a Republican on the Senate Finance Committee, held up a paperback copy of Hacking for Dummies and said, on camera, “This is some basic stuff that was missed.” Andrew Witty, the CEO, said paying the twenty-two-million-dollar ransom to the ransomware group BlackCat was “one of the hardest decisions I’ve ever had to make.”^[1] Change Healthcare ultimately disclosed about $2.45 billion in cumulative impact from the attack.^[2] UnitedHealth, the parent, finished the year and continued operating. No executive at UnitedHealth went to prison.

I’ve been reading breach press releases for a decade and they all sound the same. A vulnerability gets disclosed. The company stalls. The breach lands. The general counsel issues a statement saying the company “takes security seriously.” A few executives quietly retire. The stock dips and recovers. Eighteen months later nobody outside the security industry can remember the company’s name in connection with the breach. Then it happens again, somewhere else, in exactly the same shape.

The lazy framing of this pattern is that companies don’t care about security. That’s wrong, and it’s the kind of wrong that protects the people doing the bad thing. Companies care perfectly rationally. They run an expected-value calculation, the same kind a finance team runs on any other risk, and the answer that calculation produces, on most days, for most vulnerabilities, is genuinely skip it. The breach isn’t a system failure. The breach is the output the system was built to produce.

The Breach Is the Spreadsheet Working

Every common vulnerability and exposure (CVE) that gets logged at a Fortune 500 starts the same internal trip. A vulnerability scanner flags it. A ticket gets opened. The ticket lands on a team that may or may not own the affected service. Someone has to figure out whether the box even exists in production, how to test the patch, what the rollback plan looks like, who needs to approve the change window, and which downstream customer integrations might break. That work has a cost. The decision to skip it has a different cost, which arrives only if the vulnerability is found and exploited, by an attacker willing to use it on you specifically, before you’d have gotten around to patching anyway.

Multiply that second cost by its probability. Subtract whatever your insurance carries. Compare it to the first cost. Most of the time, on most CVEs, on most days, the first number wins. Not because anyone is being reckless. Because the right side of the equation is, empirically, not that big.

The Real Cost of a Breach Is Smaller Than You Think

Equifax is the case people use to argue breaches are catastrophic. It’s actually the case that proves the opposite. The vulnerability was in Apache Struts, the open-source Java web framework Equifax used to run its consumer dispute portal, tracked publicly as CVE-2017-5638. The patch was disseminated on Equifax’s own internal listserv on March 9, 2017, the day after the US Computer Emergency Readiness Team (US-CERT, the federal agency that warns about active vulnerabilities) emailed Equifax about it.^[3] A vulnerability scanner ran across the network, missed the affected dispute portal because of an out-of-date certificate, and no human caught the gap. Attackers walked in on May 13 and stayed until July 29, walking out with personally identifiable information (PII) for about 147 million people.^[4]

Then the bill came in. The Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and 50 state and territory attorneys general settled with Equifax for $575 million minimum, up to $700 million.^[4] Equifax’s own 10-K filings put cumulative breach-response cost above $1.4 billion by 2019.^[5] The CEO “retired.” The chief information officer and chief security officer “retired.” A senior vice president named Graeme Payne, whose team was responsible for pushing the patch out, was fired for failing to forward the relevant US-CERT email to his direct reports, which is the kind of detail you wouldn’t believe in a novel.^[3] No executive went to prison.

Equifax stock closed at roughly $142 on September 7, 2017, the day before disclosure. It bottomed near $93 a week later. It was up 50% in 2019 and trading above pre-breach levels by 2020.^[5] The largest single regulatory penalty for a data breach in US history wiped out a single quarter of free cash flow, and the company kept compounding.

Equifax is the high end. The rest of the canon is cheaper. Capital One’s 2019 breach exposed about 106 million applicants’ data through a misconfigured web application firewall (WAF, the network device meant to inspect HTTP traffic before it hits the server). The Office of the Comptroller of the Currency (OCC, the federal regulator of national banks) fined them $80 million.^[6] The class-action settlement came in at $190 million.^[7] The OCC’s order specifically noted that Capital One had moved IT operations to public cloud “around 2015” and had “failed to implement effective network security controls” for four years. The bank ran with the gap, open and known, until somebody used it. Stock recovered to pre-breach levels within months.

T-Mobile was breached in 2021, 2022, and 2023. The aggregate class-action settlement for the 2021 incident was $350 million plus a $150 million commitment to security spending.^[8] The Federal Communications Commission added a $31.5 million consent decree in September 2024 covering all three years, structured as a $15.75 million civil penalty plus a multi-year compliance plan to implement controls T-Mobile would arguably have needed anyway.^[9] That total ($31.5M plus $350M plus $150M) is about 0.7% of T-Mobile’s 2023 revenue. The CEO stayed. Three breaches in three years and not one executive was fired.

The cleanest evidence the system tolerates this comes from a guy named Joe Sullivan, who you should remember by name because he’s the only US security executive criminally convicted for a data breach cover-up in the modern era. Sullivan was Uber’s chief security officer in 2016 when attackers stole 57 million riders’ records, including 600,000 driver’s license numbers, by finding AWS credentials in a private Uber GitHub repository. Sullivan’s team paid the attackers $100,000 in bitcoin through Uber’s bug bounty program and made them sign non-disclosure agreements falsely attesting they hadn’t taken any data. He concealed the whole thing from the FTC, which was at that moment deposing him about a separate Uber breach. He was indicted in August 2020, convicted by a federal jury in October 2022, and sentenced in May 2023.^[10] Sullivan is, to date, the only US security executive criminally convicted in connection with a breach.

Sullivan’s sentence was three years of probation, 200 hours of community service, and a $50,000 fine. No prison.^[10] Judge William Orrick said at sentencing that “if I have a similar case tomorrow, the defendant probably will not be receiving the kind of sentence I’m imposing today.”^[10] The Ninth Circuit affirmed the conviction in March 2025, so the precedent is now real.^[11] Travis Kalanick, the CEO at the time, faced no charges. The signal to every other chief security officer reading the news was that the worst-case outcome for personally orchestrating a cover-up is probation and a fine smaller than the $100,000 bug bounty Sullivan himself authorized.

The Real Cost of Patching Is Bigger Than You Think

The other side of the equation is the part security people undersell. “Just patch it” is what an outside columnist says. It is not what the patching engineer says. The patching engineer says: we have to find every instance of the affected component, including the ones nobody’s touched in four years; we have to validate the patch doesn’t break a downstream integration with a vendor whose engineer left in 2022; we have to schedule a change window with the team that owns the service, except the team that owned the service got reorganized and the new team is on a feature deadline; we have to do all of this while also working on the other 73 critical CVEs the scanner logged this quarter.

Equifax’s breach happened because the company didn’t know where Apache Struts was running. The patch was free. The cost was inventory. Change Healthcare’s breach happened because a $400 billion company couldn’t enforce MFA on a Citrix portal that, by the parent company’s own admission to the Senate, sat on the public internet without it.^[1] The control was free. The cost was making someone the executive sponsor for shipping it. The patching problem is almost never that the patch is hard. The patching problem is that the patch has to land somewhere in an org chart that doesn’t want it.

Cyber Insurance Did Half The Math, Then 2022 Happened

For most of the 2010s, the math was even more lopsided than I’ve made it sound, because cyber insurance was doing half of the calculation for the buyer. Global cyber insurance gross written premium grew from roughly $3 billion in 2015 to about $15.3 billion in 2024.^[12] Carriers were aggressive on coverage, light on underwriting, and easy on claims. Premium discounts for actually having MFA or endpoint detection were minimal. From a CFO’s point of view the policy did the same job as a fire-insurance policy: pay the premium, let the carrier worry about the controls.

Then ransomware happened to the carriers. Top-20 cyber insurer loss ratios crossed 66% in 2020 for the first time, the inflection point where the line stopped being broadly profitable.^[13] Marsh’s Q1 2022 Global Insurance Market Index logged US cyber rates up 110% year over year.^[14] Lloyd’s of London issued Market Bulletin Y5381 on August 16, 2022, requiring all standalone cyber policies under risk codes CY and CZ to carry explicit state-backed cyber-attack exclusions effective on placement or renewal starting March 31, 2023.^[15] The bulletin was a reaction to a New Jersey court ruling that the existing “hostile or warlike” exclusion didn’t block Merck’s $1.4 billion claim against its insurer ACE American for damages from NotPetya, the 2017 Russian state-backed wiper attack that escaped Ukraine and devastated Western corporate networks.^[16] Carriers needed an exclusion in writing because the implicit one had failed.

The hardening didn’t go away with the rate cycle. US cyber premiums fell 2.3% in 2024, the first ever annual decline, as the market softened on price, but the underwriting requirements stuck.^[17] To renew coverage in 2026, a mid-sized company has to demonstrate MFA on every privileged account, endpoint detection on every server, tested backups, and an incident-response retainer. The insurance industry, which had been a balance-sheet shock-absorber that dampened the urgency to patch, flipped into a de-facto compliance regime that mandates the basics by underwriting fiat. That’s not nothing. It might be the single biggest behavior-changer the math has seen.

The CISO Loses Every Quarterly Planning Meeting

Run the org chart at almost any large company and security reports up through a chief information officer or chief technology officer, who reports to the chief executive, who answers to the chief financial officer’s spreadsheet. Security is a cost center asking to slow product down. Sales is a revenue center asking to ship faster. Every quarter those two requests collide in front of an executive whose compensation is tied to revenue, not to whether a critical CVE was patched within thirty days. Guess who tends to win.

The Securities and Exchange Commission tried to change this by going personal. In October 2023, it sued SolarWinds and named the company’s chief information security officer (CISO), Timothy Brown, individually, for securities fraud over the 2020 SolarWinds supply-chain compromise that infected federal agencies and Fortune 500 networks through a tainted update, internally tracked as SUNBURST.^[18] The complaint quoted internal SolarWinds emails in which Brown allegedly wrote that the company was “so far from being a security minded company” and noted, with the kind of detail that gets pinned to a courtroom whiteboard, that an internal server password had been “solarwinds123.” It was the first time the SEC had ever named a CISO personally as a defendant in a securities-fraud action.

Then it fell apart. On July 18, 2024, Judge Paul Engelmayer, a federal district judge in Manhattan, dismissed almost every claim.^[19] All risk-factor disclosures: dismissed. Post-incident 8-K filings (the four-day disclosure form public companies file for material events): dismissed. The internal-controls theory under Section 13(b)(2)(B) of the Exchange Act, the SEC’s longstanding accounting-controls statute: dismissed, the court ruling the statute covers financial controls, not cybersecurity systems. What survived was a narrow fraud claim built on SolarWinds’ own marketing copy on a public “Security Statement” webpage. In November 2025, the SEC voluntarily dismissed even that, with prejudice.^[19] The flagship attempt to use individual CISO liability as a behavior-changer ended with the regulator walking away.

The CISO labor market read the room. By 2024, 72% of chief information security officers surveyed by ClubCISO and Proofpoint reported they would refuse a role without contractual liability protection.^[20] Heidrick and Struggles’CISO survey shows directors and officers (D&O) insurance coverage rising rapidly. The talent priced in the risk and largely insured around it. The org chart did not change.

I want to be careful here because this is the part of the article that sounds the most cynical, and it’s also the part where I have the most sympathy for the people actually making the call. The CFO is not being negligent. The CFO is reading the spreadsheet correctly. Until somebody’s bonus depends on whether the patch landed, the patch doesn’t land.

Microsoft figured this out the hard way and is the closest thing to a counter-case I can point at. After Storm-0558, the Microsoft-tracked codename for a Chinese state-backed intrusion that read US government Exchange Online inboxes through a forged authentication token in summer 2023, the Cyber Safety Review Board (CSRB, the public-private body that does post-mortems on major incidents) issued a report in April 2024 calling Microsoft’s breach “preventable” and describing the company’s security culture as “inadequate” and in need of “an overhaul.”^[21] When a federal review board uses that kind of language about an American technology company, the next twelve months tend to involve congressional hearings. Two weeks later, Microsoft Security executive vice president Charlie Bell published an internal-then-public memo announcing that part of senior leadership team compensation would now depend on hitting security milestones.^[22] They put it on the spreadsheet. That’s the thing that has to happen for the math to change.

The Critics Are Right About One Thing

The strongest version of the counter-argument is that the math never gets done coherently in the first place. Ponemon’s 2019 survey on vulnerability response gaps found that 60% of breach victims said they were compromised through a known vulnerability for which a patch was available, 62% said they were unaware they were vulnerable at all, and the average deployment delay was 12 days due to data silos.^[23] The CFO never sees the ticket. A director-level security manager files it, an engineering team that didn’t inherit the affected service ignores it, and it ages out. Fair. That’s a real adversarial read. Where I land is that the operational failure is itself the downstream symptom of an upstream expected-value calculation. Companies don’t staff coherent vulnerability ownership because the cost of staffing it (head count, executive attention, cross-functional authority) is higher than the cost of not staffing it. It’s still an economic decision. It’s just one that was made several quarters before the ticket got opened.

What Could Actually Flip The Math

The thing to watch is which side of the equation the next round of regulation, litigation, and insurance moves first. Not all of it will work. Most of it hasn’t yet.

Verizon’s 2024 Data Breach Investigations Report puts a number on the gap between attacker speed and defender speed: vulnerability exploitation as an initial access vector grew 180% year over year, and the median time for organizations to remediate half of their critical vulnerabilities is 55 days, against a median time to mass exploitation of newly catalogued vulnerabilities of about 5 days.^[26] An 11-to-1 ratio is not a system catching up. It’s a system that has accepted the gap.

What I Actually Think

The reason I find this frustrating, and the reason I wrote two thousand words about it instead of one tweet, is that the people who are going to read this and call it cynical are the same people whose job descriptions could fix it. Tie a 10% executive bonus to the patching backlog and the backlog gets worked. Run a board-level scorecard with mean-time-to-remediate alongside revenue and the scorecard gets met. Make the CFO personally answerable for an unencrypted laptop on the network and you’ll get an inventory by Friday. The math is not a law of nature. It’s a set of incentives somebody chose. Until somebody changes the spreadsheet, the breach is just inventory waiting to be counted.

If this rhymed with anything you’ve seen close up, three related pieces on this site are worth your time. The zero trust security checklist walks the controls Microsoft is forcing itself toward. The DevSecOps pipeline guide is the operational layer where “we’ll patch in the next window” either ships or doesn’t. And the security tabletop exercises piece is about the one habit that materially shrinks breach response cost when (not if) the math finally catches up with you.