The discovery pace question is the right one to be asking. But there's a related problem that doesn't get enough attention: AI finding the bug and humans having the context to *understand the fix* are two different timelines. OpenSSL is load-bearing infrastructure for half the internet. When a 25-year-old vulnerability surfaces, the patch has to be right the first time, reviewed by people who understand the full dependency surface. That's still a deeply human, deeply slow process — and it doesn't speed up just because the discovery side got faster. We might be entering a period where the vulnerability disclosure queue grows faster than the qualified-reviewer queue can drain it. That's a different kind of risk than the vulnerabilities themselves.