I think a lot of work that went into mitigating Spectre has been a good example since it’s very easy to patch incorrectly if you don’t have a good model of the vulnerability and what it allows