A major new study has revealed that 78 per cent of (US) public sector organisations are still operating with serious, unresolved software security flaws, some of which have persisted for over five years.

Report Uncovers Widespread “Security Debt”

The findings come from US-based application risk management firm Veracode’s Public Sector State of Software Security 2025 report, released on 11 June. Based on an analysis of over 1.3 million software applications and 126 million security findings, the research highlights the extent to which government organisations in the US are falling behind on basic software vulnerability management.

According to the report, a massive 78 per cent of (US) public sector bodies are running with unresolved flaws that have remained open for more than a year, a situation Veracode refers to as “security debt”. In more than half of these organisations, the report identifies critical vulnerabilities with high risk potential that have still not been addressed.

Fixing Flaws Takes Far Longer in Government

One of the clearest indicators of the public sector’s struggle appears to be the time it takes to resolve these software issues. For example, the report shows that government bodies take an average of 315 days to fix just half of their identified software vulnerabilities. This is far higher than the cross-industry average of 252 days, which is already considered too slow by many cybersecurity experts.

That 63-day gap may sound modest, but Veracode warns it opens up a significant attack window. This is because these flaws, often in applications delivering essential services, could be exploited by attackers for months at a time. In some cases, flaws are left unresolved for multiple years. As the report shows, around one-third of vulnerabilities in US government software remain unpatched even after two years, and 15 per cent are still unresolved after five.

Chris Wysopal, Chief Security Evangelist at Veracode, described the situation as a systemic failure to keep pace with risk, saying: “Many government organisations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed.”

Which Public Sector Organisations?

The report encompasses a wide range of public sector bodies, including US federal, regional, and local government departments, as well as agencies responsible for education, healthcare, law enforcement, and infrastructure. While the specific organisations are not named, the findings indicate a sector-wide problem that spans multiple tiers of government.

Public-facing applications and internal administrative systems are both affected, with legacy software and fragmented IT infrastructure frequently cited as contributing factors. The report also shows that larger and more complex organisations tend to perform worse, particularly where digital transformation has lagged.

Is the UK Public Sector Facing the Same Risks?

Although Veracode’s report focuses specifically on the US, many of the challenges it identifies appear to be mirrored in the UK.

For example, according to a recent National Audit Office (NAO) report, 58 critical UK government IT systems still have significant cyber-resilience gaps, with 228 legacy systems running without full knowledge of their vulnerabilities. The NAO also highlighted that one in three cybersecurity roles in government remains vacant or is filled by temporary staff, suggesting a widespread skills shortage similar to that seen in the US.

Also, recent cyber incidents have highlighted the risks. For example, back in May, a breach at the Legal Aid Agency exposed the personal data of over 2 million individuals. The British Library and parts of the NHS have also suffered serious service disruptions due to ransomware attacks, often linked to outdated infrastructure.

Unlike Veracode’s report, there is currently no published UK data showing the average time it takes public sector bodies to fix software vulnerabilities. However, the reliance on legacy systems, combined with under-resourced security teams and a reactive approach to patching, strongly suggests that vulnerability resolution timelines in the UK are also prolonged.

That said, the UK Government has begun taking steps to address the issue. For example, a new Cyber Security and Resilience Bill is set to tighten breach reporting requirements and enhance supply chain security. Also, the NCSC’s GovAssure programme is now auditing critical departments, and £1 billion has been pledged to improve cyber capacity across public services. However, progress has been slow, and experts have raised concerns about how effectively these initiatives are being implemented.

In the absence of specific figures, it remains difficult to compare the scale of UK security debt directly with the US, however the warning signs are there and the structural issues look strikingly familiar.

Open Source and Third-Party Code a Major Weak Point

While most flaws are found in first-party applications, it seems that the most dangerous and persistent problems come from open-source and third-party code. Interestingly, although these components make up less than 10 per cent of total public sector software, they account for 70 per cent of the critical security debt in government systems.

To make matters worse, flaws in third-party code take around 50 per cent longer to fix than those in software developed internally. As organisations increasingly rely on open-source libraries and packages, this gap presents a growing threat.

“This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies,” said Wysopal. “Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed.”

Some Agencies Are Far Ahead of Others

The report appears to highlight a stark disparity between the best and worst performing organisations. In the top 25 per cent of public sector bodies, just one-third of applications contain flaws. These leading agencies resolve half of their issues within 3.3 months and manage to fix over 9 per cent of flaws per month. The report shows that by contrast, the worst 25 per cent have flaws in every application tested, with less than 0.1 per cent fixed each month and average remediation times exceeding 11 months.

Wysopal highlights how this gap raises serious questions about leadership, resource allocation, and operational culture across the public sector, saying: “The disparity between top and bottom-performing government organisations is striking and raises important questions about the factors that make a material difference to security posture.”

What’s Causing the Problem?

The report suggests a number of causes behind the growing backlog. These include underinvestment in software development security (AppSec) tools, overreliance on legacy systems, and a lack of skilled personnel to address vulnerabilities at scale.

Another issue is that vulnerability scanning is often performed late in the development lifecycle, when flaws are more costly and time-consuming to fix. Without ongoing analysis and integration into development workflows, issues tend to accumulate and are eventually deprioritised due to competing pressures.

Compounding this appears to be the rapid adoption of AI-generated code. While generative AI can speed up development, it can also introduce subtle but serious vulnerabilities if not properly reviewed. Veracode warns that comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through.

How Can Public Sector Bodies Respond?

Veracode is urging public sector organisations to modernise their approach by adopting risk-based remediation strategies and automating more of the security process. Key recommendations include:

– Implementing context-driven security posture management, which prioritises the most exploitable vulnerabilities using insights from multiple tools and data sources.

– Establishing continuous scanning, integrated into the full development lifecycle, so that flaws are caught earlier and fixed faster.

– Supporting developer enablement, giving teams the training and tools they need to identify and address issues proactively.

According to the report, the most effective and cost-efficient way to reduce security debt is to prevent it from accumulating in the first place.

Risks for the Public, Service Delivery, and Compliance

While the problem is technical in nature, the impact appears to extend far beyond IT departments. For example, vulnerabilities in public sector software can put sensitive public data at risk, disrupt essential services, and erode public trust. In sectors like healthcare and social services, the consequences of a breach could be devastating.

There are also compliance implications. For example, governments are increasingly subject to cybersecurity regulations requiring evidence of secure coding practices and risk mitigation. Persistent security debt may put some organisations in breach of data protection obligations or national security protocols.

A Complex Challenge, but Improvement Is Possible

Despite the bleak statistics, Veracode’s analysis makes clear that progress is achievable and that top-performing agencies prove that meaningful improvement can be made with the right strategy, investment, and organisational buy-in.

The challenge now appears to be for lagging organisations to assess their security maturity, identify the operational and cultural blockers to faster remediation, and make the structural changes needed to reduce their exposure to risk.

What Does This Mean For Your Business?

For governments, the consequences of inaction are no longer theoretical. The exposure created by slow patching and ageing systems is already being exploited by cybercriminals. Also, for the public, the stakes are growing, whether through data loss, service disruption, or erosion of trust in digital government services. What Veracode’s report makes clear is that the organisations getting this right are not doing so through luck or scale, but through deliberate prioritisation and operational focus.

In the UK, many of the same systemic issues are clearly visible. Critical infrastructure is still running on unsupported legacy platforms, key security roles remain unfilled, and cyber incidents linked to outdated systems are becoming more frequent. Without hard data on vulnerability resolution times or the extent of open-source debt, public sector bodies are left guessing where their greatest risks lie and how they compare to their peers.

This gap also affects the wider network of software vendors and contractors. UK businesses that supply the public sector will need to meet rising expectations around security assurance and may face tighter scrutiny as new legislation and procurement rules come into force. At the same time, private sector organisations can use these findings as a benchmark, both to avoid the same mistakes and to identify opportunities to lead in secure development practices.

The core message here is that software risk is measurable, manageable, and no longer optional. Delays in addressing known flaws are not just a technical lapse but an operational liability, with real consequences for services, compliance, and reputation. Whether in the US or UK, the longer these gaps are left open, the harder and costlier they become to close.