In particular: if you think implementing RSA was really quite easy, don’t use the code you just wrote.

Consider something like “just because you get the right answer doesn’t mean your implementation is secure” (because carry bugs and other hard-to-trigger corner cases in mostly asymmetric algorithms, because side channels, or just because your parser accepts all valid messages and many invalid ones.)

I agree, and I’d put enforced autoformatting in the same list: it takes a text-based language at least some way to a token-based language.

(Autoformatting really isn’t new - GNU Indent is ancient and was itself not the first system - but it seems to have gotten a lot more popular lately.)

I don’t want to compare, but e.g. Qualys’ research into local privilege escalation on Linux - e.g. needsrestart, Baron Samedit - also finds bad stuff. For Windows, consider e.g. James Forshaw’s work. In 2024, unfortunately, (some) VM boundaries are much stronger than process boundaries…