Coming across organization after organization that assumes this "ignorance is bliss" approach has helped me arrive at the following conclusions:
- It’s best to have different people working these problems.
- A vulnerability you know about and choose not to fix is not as scary as the risks you don’t know about.
- Healthy remediation programs are focused on providing systemic solutions to systemic problems, not running down a list of issues one at a time.
One way to address this problem is by choosing a specialization approach. This means having different resources aligned to defect discovery than those aligned with defect remediation. A divide and conquer approach tends to work quite well. In most cases that I've come across, the traits of an engineer who is best at finding issues don’t align with the engineer who’s best at fixing issues.