You fix things as they are discovered, continue adding more static analysis to catch new classes of issue, and continue on. You don't rewrite - certainly not in a new language with all new problems.

This isn't a startup with 10 developers - there are literally thousands of developers working on Office and all sorts of internal tooling built around the codebase.

> You fix things as they are discovered

This will keep companies like NSO in business for decades to come.

> there are literally thousands of developers working on Office and all sorts of internal tooling built around the codebase

That's no excuse for the security hacks this codebase is enabling. They need to stop adding new features for a decade, if that's what it takes, in order to fix the security issues. Think of all the ransomware attacks, identity theft, attacks on journalists, and democracy even, that the security issues in this codebase is enabling, and will continue to enable if business-as-usual is the way forward. The stakes are high, and these tech companies must be made to pay a heavy price for each security breach enabled by their negligence, and then the economics will be in favor of prioritizing security over features.

No, what they (we) need is to be held accountable for the software we build, just like engineers are accountable for what they build.