Fix the Damn Thing Because It’s Broken: CVEs, Security Theatre, and Real Accountability

I recently found myself nodding along to a heated conversation about CVEs and the illusion of security they often create. One line hit particularly hard:

“Fix the damn thing because it’s broken, not because it has a CVE.”

It captures something I’ve felt for a long time but hadn’t articulated: so much of modern cybersecurity is built around optics and checklists, rather than actual resilience or engineering discipline.

The CVE Trap

Don’t get me wrong CVEs (Common Vulnerabilities and Exposures) have a place. They offer a shared language for vulnerability tracking across teams, tools, and vendors. They help us scale awareness and automation.

But the problem arises when CVEs become the only metric that drives action. I’ve been in the position (multiple times) of chasing down false positives from scanners, spending hours writing risk acceptances for edge-case bugs that don’t pose any real-world threat. The priority wasn’t fixing issues that mattered it was making sure the spreadsheet looked clean for the next audit.

Meanwhile, real systemic risks insecure architecture, overly permissive IAM roles, fragile CI/CD pipelines get ignored because they don’t have a CVE. No red flag in the dashboard? No Jira ticket. No urgency.

The Compliance Dance

As someone who’s worn the “security liaison” or DPO hat (whatever title of the month gets thrown around), I’ve been the person responsible for this circus. Not because I wanted to be, but because that’s how the game is played.

Security theatre is exhausting. It creates a false sense of confidence, while slowing down the work that actually makes systems safer. Risk-based decisions get replaced by checkbox logic. And people start to confuse busywork with progress.

What Actually Matters

Security should be about ownership and responsibility. If something’s broken, fix it. Not because it has a CVE. Not because a tool flagged it. But because broken things make for fragile systems, and fragile systems eventually fail.

We need to:

  • Reduce complexity and shrink our attack surfaces
  • Make patching low-risk and routine, not a crisis
  • Fix bugs whether or not they’ve been blessed with a CVE
  • Build systems we’re proud to stand behind

Ultimately, we need to own the s**t we put into the world. That means moving past performative security and focusing on engineering fundamentals. It’s not glamorous, and it won’t always get you a fancy report to show your boss, but it’s the kind of work that actually makes things better.

And yeah, it starts with just fixing the damn thing because it’s broken.