Linux Kernel Security Done Right (Google Security Blog)

Yes after you have spent time and effort proving that it is actually a regression versus bad code. It is very rarely a one-and-done email, but a lot of work getting the evidence together that it is broken versus a buggy compiler, library set, or a dozen other things it actually could also be. That is time and energy most end companies have no plans to spend time on so will just either stick to a working known state or pay someone else to do that work for them while keeping them on a working known state.