I’ve described it as cost flexible, because you should be funding or ensure developers are funded to a level appropriate level of risk to operations if a vulnerability is discovered or a critical failure prevents a correct operation.

That’s for big business and governments at least. Small businesses also has the same concerns but the risk matrix for them is just different.