According to WhiteHat Security, 70 percent of individual web, mobile and API-based apps that support the manufacturing sector spent all of 2020 with at least one critical or high-risk security flaw.

With public administration apps, the number that went a year with a security flaw dropped to 67 percent, and nine other sectors ranged between 50 and 60 percent.

The results come from aggregated data from the firm's monthly AppSec Stats Flash scans of tens of thousands of apps, compiled in a just-released annual report.

"Time-to-fix is seeing a dangerous upwardly trend," said Setu Kulkarni, vice president of strategy for WhiteHat, via email.

Indeed, the average time to fix bugs of any severity lasted a year or more in the public administration, educational services, and utilities industries.

Besides manufacturing and public administration, more than half the individual apps from a wide range of sectors had at least one critical or high severity vulnerability from Jan. 1, 2020, to Jan. 1, 2021: healthcare and social assistance; real estate and rental; information; retail; education; utilities; enterprise management; and professional, scientific and technical services.

Several industries fared better. Less than a third of the apps in agriculture, forestry and hunting; construction; and arts, entertainment and recreation had critical or high severity flaws all year.

Kulkarni said that the reason so many applications had perennial bugs was a mixture of trouble prioritizing, lack of trained staffing, and a boom in online applications that's left little time to remediate problems.

Kulkarni noted that many of the bugs left unaddressed came from "pedestrian" classes of vulnerabilities or were otherwise relatively easy to address.

"The most commonly occurring vulnerability class, information leakage, can be addressed largely via configuration changes throughout the software lifecycle," he said.