The nature of security bugs
Hits the nail on its head:
Security fixes are different from every other kind of fix. As every good troubleshooter knows, when problems occur something almost invariably has changed. For most bugs it is something like load, configuration and so on which can be undone.
With security bugs it is knowledge that has changed and a security weakness can't be unlearned by the world at large.
Peter Harvey wrote this in his blog and i think he is correct with his insight. But i would add a hybrid group. There are security bugs similar to the normal fixes. Introduced by normal bugs … or lazy checking. And then there are security weaknesses inherent in a protocol or idea. Those can´t be unlearned at all from the world. You can´t even fix it when the protocol has a huge acceptance in the network. Just think about the long standing search for a more SPAM resistant SMTP … or the recent discussions about weaknesses in BGP.