Developer writes code: 100 new features, machine learning, customer satisfaction, market share, that force developers to write new code. Apart of this many lines of code are written without or this wrong testing. I’m not a developer, but there is no explanation for crazy fails like Heartbleed.
Hacker finds vulnerability: Most hackers do a great job and look for dangerous mistakes in code and try to find them to publish them responsible. Apart from the white hats, black hats sell them but this is another story to tell.
Tech Journalists do their job: The business model of web journalists is mostly based on advertisement. Click bating is essential for high revenue. So, what is Click bating in it sec journalism? Would you click on “The vulnerability nobody needs to care about” or “You and your family will die, if you don’t update NOW” Most headlines are just wrong, they intend, that the issue is a big deal. But if you are lucky the last paragraph explains under which circumstances the bug is important for you and your systems: Using the old OS with the wrong configured Service, while full moon, without TLS your Webserver send the wrong timestamp.
Journalists do their job without a clue what’s going on. Coping tech news when they reach a high level of attentiveness in the tech community.
Users pick up the news, thinking they are affected by the vulnerabilities. They start freaking out. They call their admins or friends who have to explain what the vulnerability is really about, how they are affected and what they have to do.