IDK, every project I touched while working there had some suite of static analysis cve report, secrets scanning, as well as absurdly strict data collection policies and procedures. It was challenging to navigate at times when you had to wait on upstream fixes and crap. The only time I ever saw a fix go live quickly and to the majority of the customer base on quick rollout was for a zero day or active exploit. I’m sure there are gaps, but for as many services they offer, I never saw any crazy shit.

Google is probably one of the top 10 probed companies in the world and you don’t hear about too many major breeches that originated from the tech. It’s usually legal and sharing with bad partners where they fuck up.