In the 1970s, when computer security research was beginning, most developers responded to vulnerability reports by fixing the problem reported. The “penetrate and patch” approach survived into this century (and probably survives today in some development organizations) until organizations started to create secure development processes. A mature secure development process will incorporate root cause analysis to keep driving vulnerabilities out and making software more secure. The feedback from vulnerability reports helps identify new issues that need attention and also helps us prioritize hard to detect issues.”]
Source: https://www.csoonline.com/article/3261972/getting-to-the-root-cause-of-the-problem.html