Government Software at a Breaking Point: Veracode Report Exposes Alarming Public Sector Security Debt

The public sector is drowning in unresolved software vulnerabilities—and the numbers are worse than you think.

According to a new report from application risk management leader Veracode, government agencies are sitting on a staggering amount of security debt—flaws in code that have remained unaddressed for more than a year. And in more than half of those cases, the flaws are severe enough to be deemed “critical.”

The Public Sector State of Software Security 2025 report, based on an analysis of 1.3 million applications and 126 million security findings, paints a bleak picture: 78% of public sector organizations are burdened by aging, unresolved security issues, with 55% harboring high-risk vulnerabilities that could enable devastating breaches.

Lagging Behind: The Cost of Delay

Public sector systems take, on average, 315 days to remediate half of their known software flaws, compared to 252 days across all industries. That 63-day lag isn’t just a stat—it’s an open invitation for threat actors targeting vulnerable application layers.

The numbers get even more troubling: a third of all public sector software vulnerabilities remain unresolved two years after discovery, and 15% persist for more than five years.

“Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed,” said Chris Wysopal, Chief Security Evangelist at Veracode.

The Open-Source Dilemma

While third-party and open-source components make up a small slice of the total codebase—less than 10%—they’re responsible for a disproportionate share of critical risk. Veracode found that these dependencies account for 70% of critical security debt in government systems.

To make matters worse, these open-source flaws are 50% slower to fix than vulnerabilities in internally developed code.

“This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies,” Wysopal warned. “As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through.”

Security Haves and Have-Nots

Not all government entities are equally exposed. Veracode’s research identifies a clear divide between high- and low-performing agencies. At the top end, organizations are resolving flaws nearly four times faster than their struggling counterparts.

For example:

• Flaw Density: Leading agencies report vulnerabilities in under one-third of their applications. Laggards? Every single app is affected.

• Fix Rate: Top performers resolve over 9% of their flaws each month; lagging orgs barely move the needle at 0.1%.

• Speed: The fastest agencies remediate critical issues in just over 3 months. The slowest take nearly a year.

Even among the most advanced teams, open-source risk remains ubiquitous, with 84% of applications containing critical third-party debt.

“The disparity between top- and bottom-performing government organizations is striking,” Wysopal said. “This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies.”

Two Moves That Matter

Veracode’s call to action for the public sector is direct and prescriptive. First, implement risk-based prioritization that goes beyond surface-level vulnerability counts and ranks issues based on exploitability and context. Second, extend visibility throughout the software lifecycle, embedding secure development practices from design to deployment.

“In today’s threat landscape, security debt is no longer an acceptable risk,” Wysopal concluded. “With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release.”

The Bottom Line

As AI-generated code becomes more prevalent and digital services continue to expand, the stakes for application security have never been higher. Veracode’s findings reveal a simple truth: Without sustained investment and modernization, public sector software will remain a soft target—and the consequences won’t be theoretical.

The full Public Sector State of Software Security 2025 report is available now on Veracode’s website.