>The larger firms have security departments ready to respond to CVE’s and 0days.

Nah, they do have large security departments, though.

I've met many CSOs that had never wrote a line of code in their lives. That kind of works ... until it doesn't and it fails embarrasingly bad.