More resources should make the number of fixes possible per year greater, but it may not substantially reduce the time from notice to fix any single issue (and may, because of organizational overhead involved, sometimes increase the time for particular fixes over an organization with fewer total resources.)
Maintaining code is not a trivially parallelizable function.
> Maintaining code is not a trivially parallelizable function.
Yes, I know this, thank you.
But we are talking about billions of dollars vs. millions of dollars (for Linux / BSD). We are talking multiple orders of magnitude(!) more money. I realize there isn't a Silver Bullet, but the fact that what we have heard coming out of Microsoft about they're management practices year after year is ABYSMAL, it is not an excuse. Especially when people who are working for free, with no/little organizational support, can beat them at releasing security fixes.
> because of organizational overhead involved
So maybe they should fix it? How is their incompetence at running an organization a valid excuse? If it was a problem they cared about they would be researching how developers and teams of developers perform best, how best to organize code, etc. Instead they used stacked teams for years on end. I have no sympathy.
If it's as serious problem maybe they should stop making new operating system features and devote more resources to fixing, cleaning up, depreciating, etc. the ones they already have?
They are making business decisions, and their ineptitude at security is a result of them. There are no excuses of "they are the only one's doing X" for "they are bad at doing Y when they do X" when they are promising Y!
Maintaining code is not a trivially parallelizable function.