A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time. But what happens if they don’t?