Plus there are hordes of academics using Clang/GCC as targets for bug-finding papers. The Csmith [1] paper alone has over a thousand citations at this point. I'd assume most of the low-hanging fruits are picked.
In my humble experience, both in academia and the cybersecurity industry, there are relatively few individuals and teams with the drive necessary to discover the most challenging bugs, especially compared to the sheer scale of the challenges. Fuzzing is just one example of this. Additionally, with billions of lines of code, it takes significant time for research to translate into real-world engineering practices.
One example of a higher order reasoning about this is [1] (includes metrics).
wslh|1 year ago
One example of a higher order reasoning about this is [1] (includes metrics).
[1] "As TVL rises, so does the probability of being hacked" https://www.bittrap.com/resources/defis-growing-pains:-as-tv...