You would think we wouldn’t have an endless string of 0-day exploits for operating systems as well but here we are, for the last 25 years. It should be a simple and logical problem as well.
An operating system has to be able to handle arbitrary data, arbitrary network traffic, and arbitrary user input, with the goal of enabling its operator to perform arbitrary computation.
That might be a slightly less tractable problem than controlling a fixed set of flight systems to maneuver an aircraft with a fixed set of degrees of freedom.
Definitely not to understate the complexity of flight systems software at all, but the analogy to operating systems seems unhelpful.
