That is why I said "risk". Though the models are pretty good "if" you ask for security audits. Notice I didn't say you could do it without technical knowledge right now, so you need to know to ask for security review.

I have friends in security on major platforms who are impressed by the security review of the SOT models. Certainly better than the average bootstrapped founder.

For a few years maybe, but I see little reason to think this stuff won't be coming for their jobs as well.

True, but you'd be surprised how much you can tighten up a codebase by asking a heftier model to do a security review and suggest fixes.

At what point do people really know if it has been tightened up if they never look at the code?

That's the catch -- a team would need to care enough about quality, or don't at their own peril.

How does a PM know that the code has been tighten up by the offshore team?