mlinksva, which biases would that be, I'm curious?

The particular bias that I get confirmation for is that security people keep playing the wrong game in the medium to long term. Building towers of complexity to account for the inherent vulnerabilities of legacy software is convenient for getting publications out or for having dependent customers (lightly brushing aside the issue of snake oil for a bit, as one shouldn't). And it does help with having a somewhat less insecure software infrastructure in the short term.

Yet banging our collective heads against the halting problem gets us into an arms race between attackers and defenders. An arms race that, to my poor understanding, fundamentally favors the side with the most resources, which is (and AFAICT will continue to be) state-level (or security-industrial private) anti-security actors. There's any number of well-understood solutions which change the playing field e.g. by simply not allowing programmers to express memory-safety vulnerabilities. Limiting expressivity really does seem like the way forward for people who feel the need for a somewhat secure computing infrastructure (therefore, one which does not lend itself to mass exploitation from entities with vast resources). There's probably an economic argument to be made as well, but I'm afraid that's already been considered and rejected by academics looking for funding or developers seeking employment in the current security industry.