There is a stark difference between theory and reality, for instance in theory move from DoD from this article https://www.cyberscoop.com/pentagon-vendors-vulnerability-testing/ was suppose to improve security, indeed way too many software vendors have no idea what do they put into their product, what SDK they use and so on, in fact those vendors need to be held accountable, however at the end government will get worse of both worlds.