For what it's worth.
The root cause of most of these vulns are not mysterious. The trouble is people seem to fix the fault they found and don't go back and fix the source.
Finding a bug does not leverage finding other bugs, or stopping that class of bugs from being written again.
I think this could be baked into a software house that was cost competitive with others in the market but produced less vulnerable software.
But I agree that this cheap'n'nasty approach will persist till something goes seriously wrong and several people get hurt or killed. That's pretty much how safety improvements have been made in the transport industry.