As with diabetes or heart disease in humans, we may simply have to learn to manage – rather than eliminate – the majority of software bugs, experts say.

Earlier this month, it was revealed that Claude Mythos, an unreleased “frontier” AI model, can reportedly find vulnerabilities far faster than humans can remediate them.

But do all bugs need treatment? Do all systems need to be 100% vulnerability-free? Or have we entered an era where cybersecurity is less about eradication and more about managing risk, much as we manage illnesses such as diabetes, cancer, or heart disease?

Weeding out vulnerabilities has long been viewed as a critical, ongoing process designed to stop attackers from exploiting weaknesses.

Many tech vendors – including Anthropic, the maker of Claude AI – argue that proactive vulnerability discovery is essential to protect data, maintain continuity, and avoid financial or reputational damage.

Anthropic says Mythos is too dangerous for public release if it falls into the wrong hands, and has selected 40 key companies – the usual mix of big tech, major cyber firms, and financial institutions – to test the system. It‘s a project known as “Glasswing.”

Some have dismissed this as an Anthropic marketing exercise or client prospecting.

Anthropic was previously blacklisted by all US federal agencies over its autonomous weapons clause. However, now it has been reported that agencies such as the NSA are among those using Mythos. Whatever the claims, it is clear that the industry is taking models like this seriously.

More flaws, but it’s just not that deep

But if supercharged bug-hunting AIs are surfacing 20-year-old flaws faster than organizations can fix them, perhaps we're better off asking this: outside of banks and critical infrastructure, how much should we care?

Security researchers have already begun to question some of Mythos’ claims. For example, Marcus Hutchins, who helped halt the WannaCry outbreak, said last week that some bugs identified by Mythos were more likely to crash systems than to enable remote compromise – the outcome that most attackers actually want.

The marketing mantra from cyber vendors has been to “fight AI with AI.” But what if the AI is mostly finding minor ailments rather than life-threatening conditions?

Michele Novack, a cyber engineer, auditor, and compliance officer focused on small businesses, says companies should be cautious before investing in tools they may not need.

“You are never going to have a zero-vulnerability system. If you try to fix every tiny flaw, you'll spend all your money on IT and never actually run your business,” she said.

“We have to accept that we are always going to be a little sick – and that's okay, because we can still function.”

Learnings from OT

In operational technology – systems that run factories, utilities, and other real-world processes – patching flaws has never been the endgame.

Recently, Christina Hofer, an OT security exec at Forescout Vedere Labs, explained in her talk, "When a Patch Can’t Stop a Blackout," that if a vulnerability does not affect day-to-day operations, it is often managed rather than fixed.

She described a client running an electronic billboard system that contains malware, but has chosen not to remove it because it is not disrupting operations.

The system is isolated, old, and costly to modernize. Instead, technicians periodically inspect it, check that no wildlife has gnawed through the cables, reboot it, and keep it functioning.

In this case, the client would rather keep the process running than undertake an expensive rebuild.

"There will always be vulnerabilities. They are inevitable. We need to decide which ones matter.”

Christina Hofer, researcher, Forescout Vedere Labs

That tension often defines the divide between IT and OT. Traditional IT teams may be measured on how many vulnerabilities they close each month. OT teams tend to ask a simpler question: Does it interfere with operations?

Adopting an OT-style approach may now become necessary as vulnerability reporting overwhelms the system.

NIST changes

Last week, the National Institute of Standards and Technology (NIST), which manages the National Vulnerability Database, said it was moving toward a risk-based model, acknowledging that it can no longer document every reported flaw, known as critical vulnerability exploits (CVEs).

For many, that shift was inevitable. The volume of reported vulnerabilities has surged while the quality of submissions has often declined – a trend accelerated by AI-generated reporting.

According to VulnCheck, as of 2026, 5,000 CVEs have been exploited in the wild out of roughly 310,000 total – less than 2%.

So while banks, payment networks, and governments are right to examine tools like Mythos closely, it should not automatically trigger another industry-wide call to “fight AI with AI.”

When the treatment outweighs the benefits

Joe Brinkley of the pentest firm Cobalt argues that businesses are reaching a point where fixing every flaw is not only impossible but also counterproductive.

“Discovery has become cheap, but validation remains incredibly expensive.”

“If it took 100,000 GPU hours to identify a bug that still requires a highly specific, unlikely user interaction to trigger, that is textbook risk acceptance.”

"We’re treating a chronic illness by focusing on the symptoms that actually threaten the patient’s life – exploits that can jump from the lab to a production server.”

Joe Brinkley, pentester, Cobalt

The goal should not be a longer list of bugs. It should be a smarter way to ignore the 90% that do not matter, so organizations can focus on the 10% that do.

Not everyone agrees

David E. Williams, CEO of a cybersecurity company, Atumcell, and president of healthcare strategy consulting firm Health Business Group, is certainly qualified to reject this chronic disease analogy, arguing that it normalizes passivity.

“Chronic diseases are stable adversaries. Hypertension doesn't scan for new ways to kill patients.”

A better comparison, he says, is levee management on the Mississippi River: engineers do not repair every crack, but they know exactly which ones matter when floodwaters rise.

Williams also compares vulnerability management to air traffic control.

“No flight is perfectly safe. The system runs on calibrated, continuously monitored acceptable risk.”

David E. Williams, CEO, Atumcell

Planes are not grounded for every minor issue. But when a systemic flaw emerges – such as the Boeing 737 MAX crisis – fleets are pulled from service despite the cost.

Whatever comparison you chose, it’s clear that, like in many other sectors, perfection is an illusion.

AI is now forcing the industry to admit it. The security of our systems will not necessarily depend on those who find the most bugs, but on those who know which bugs can be ignored safely.

---

Unlock more exclusive Cybernews content on YouTube.