This post from Robert Martin, Stabilization , along with some recent lectures on Cyber-Security (from MIT's Srini Devadas) came together with the insight that both the "patch & pray" cyber security and the passive stabilization process are each pursuing negative goals. In other words, they are trying to prove the absence of bugs or vulnerabilities. Proving a negative like this is impossible - you'd have imagine and try every conceivable data input or attack vector. Since you can only really prove a positive (when the system get this, it does that) - then as Bob Martin suggests - you need to check that you have high test coverage, and subsequently high code coverage when running those tests - not just x hours of problem free run-time. In the security realm, just because you have a firewall and haven't seen that you've been hacked, you can't simply assume you are safe, you need to test applications for specific attacks, like SQL injection, or by port ...
Thoughts and Ideas of a working software engineer. Observations of the oft-forgotten, but painfully obvious. Remember: Experience pays, and experience costs.