All of the training data includes insecure code, because most people don’t write secure code. It’s true that AI is assisting in finding vulns, but they’re typically the more obvious injection and misconfiguration type bugs. They’re not the more subtle, logic based bugs that tend to exist. I expect those to be much bigger impact longer term, because they’re very easy to write, hard to detect, but typically relatively easy to exploit (once you’ve done the hard work to identify them)