Suppose you run a data center. You have lots of personally identifiable information and a lot of other data that is is critical to keep safe. You have a vendor who has a software package that you have thoroughly tested and decided after careful evaluation that it is secure. Then they come to you with a second piece of software and say something like “this is a subset of that other piece of software but we have added more security.” Do you -
a) retest the new software and make sure that none of the changes they made made things worse rather than better
b) take them at their word and put the software right into production
If I am your boss and you choose “b” why should I not fire you on the spot?
Note: Any similarity between this hypothetical question and recent events in the news is purely coincidental.