Some things AV vendors did are software practices straight of the 1990s if not 1980s. They didn’t check if they used strcmp vs strncmp, no aslr, no buffer protection compilation flags.
These cost minimal effort to fix and are done in all software projects that I’m aware of, not even for security reasons, purely for stability ( I don’t work in the security sector, these are just common practices everywhere these days ) - I can’t believe they pushed kernel code without these checks.
Which makes me wonder if they’ve bothered with other low cost checks, like use tools for memory leak detections or even decent test coverage.
If quality of code is that low it’s not a matter of cost, all that I’ve mentioned is either a flag switch-on or a 2 day task to replace strcmp or tweaking their CI to add memory leak detection.
Again all the above is done everywhere for quality & stability reasons - these are not security related adjustments ( though their absence evidently lowers security too )
It is time. Time is expensive. To you spending 2 days on a task is no big deal. In the industry, that amount of time is simply unacceptable given deadlines and budgets. Plus, the build over top of the existing code base nobody is going to spend the time and money to do a complete audit.
Not to mention the legit reasons why sometimes these things are not use. One I recall was Melih explaining why they didn't use ASLR for a legit reason. It wasn't needed. But anyway, people gave a scathing indictment of COMODO and it got blasted for no good reason across the web. So, just to get people to shut-up, Melih had his people implement the ASLR.
To you it is coding 101, but obviously the industry doesn't see it that way. Or at least they didn't in the past. And I'm pretty sure it is essentially the same today... what was created in the past hasn't been thrown-out. It has just been built-over. They're not going to audit it. That's how it works.
If people want secure coding with all the stops, then they have to be willing to pay for it. They have to be willing to pay for all those cumulative multi-day tasks. However, the vast majority of people don't want to pay anything. I've had discussions about this very thing and it all comes down to time and money (expenses). People don't want to pay. They want to be cheap. Then they get what I am willing to do for the price they are willing to pay.
We can debate about this all day long, but I'm telling you nobody does the kind of audit stuff that you're talking about. If they did, then Google Project Zero would find nothing and Tavis Ormandy would have to do something else.