Everyone asks why it takes 2 months to develop, test and deploy a patch. Nobody ever asks why it took over 10 years for criminals to find and exploit this bug. What were they doing all this time? Why did it take them so long? Do criminals have perverse incentives to be law-abiding or are they just plain lazy?
