Your half-year example is a straw-man. The average for the large software vendors hover around 60 days.
Each day with a given vulnerability in a system incurs a certain risk that somebody have already discovered it and will be targeting you. Obviously, each day adds to the total risk.
But the next day - barring partial or full disclosure - is not more risky than the day before .
So what it comes down to is this: With no known attacks, would you rather prefer a full disclosure - severely increasing the likelihood of attacks until the vendor has a patch ready - or would you rather that the vendor acts in a timely manner (as fast as possible) where each day is not riskier than the one before?
Your assertion that somehow "more money" will solve the problem is without basis in reality. Barring formal system development where correctness can be mathematically proved, all software will have bugs.
However, you can encourage vendors to work more on software quality by buying/using the products with the fewer vulnerabilities.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
