Were there more than 10 different developers who worked on the vulnerable code in its lifetime?
Familiarity is difficult to gain with code. Even for the best
developers, contributing to a piece of source code for the first time
means that they must understand the design decisions from previous
developers, any issues the code has had historically, and the coding
style. Thus, the first commit any developer makes is risky.
Furthermore, research has shown a strong correlation between code that
had many developers and code with vulnerabilities.
Note that we used 10 as an arbitrary threshold, but it's really more of
a spectrum.
The Vulnerability History Project