Veracode analysis shows that nearly two-thirds (63%) of banking, financial services, and insurance (BFSI) organizations harbor critical security debt — high-severity flaws left unfixed for longer than a year — a rate of 13% points higher than the cross-industry average, according to the application risk management platform provider’s 2025 State of Software Security (SoSS) Snapshot for the Financial Services Sector.
Veracode researchers report 77% of financial services organizations accrue some level of security debt. With an average flaw half-life of 276 days — the time it takes to remediate 50% of all vulnerabilities — it takes the sector nearly a month longer to fix security issues than other industries. Despite modest gains in reducing high-severity flaws, progress has stalled as older, larger applications in the sector continue to accumulate unresolved security risks.
“Our data reveals a silent, growing risk for the sector created by unresolved security debt,” said Chris Wysopal, co-founder at Veracode. “With AI-driven attacks surging and compliance requirements tightening, finance leaders must prioritize strategic risk reduction, starting with targeted remediation of critical software flaws.”
Open source dependency amplifies exposure
The report found the supply chain remains a major source of risk. While third-party code represents just 17% of total security debt, it accounts for more than 82% of critical security debt at financial firms. With open-source flaws requiring 50% more time to remediate than first-party code, organizations face mounting exposure amid escalating regulatory pressure. Proactively assessing open-source libraries and avoiding components with known flaws significantly reduces long-term exposure and risk across applications.
The report also benchmarks top-performing BFSI enterprises against lower-performing organizations. Industry leaders remediate over 9% of open flaws monthly and limit security debt to less than 26% of applications, while laggards have debt in 85% or more of their applications and stretch fix cycles beyond a year. The gap underscores the importance of continuous code analysis, rapid remediation, and contextual risk-based prioritization with modern, AI-powered tools.