Nhà cung cấp dịch vụ thường chỉ có áp lực làm dịch vụ của mình bảo mật hơn khi có đối thủ cạnh tranh bảo mật hơn, và chi phí chuyển đổi của người dùng đủ thấp

Khái niệm::
Unfortunately there is usually not much liability for the provider, neither in case of availability problems nor in case of compromised/stolen user data. This means that the burden of a successful attack is usually assymetric - customers are most affected. While providers might suffer reputation this only helps if there are a) more secure competing offers in the first place and b) the switching costs are low enough so that customers might actually switch. This cost-benefit ratio limits how much the provider spends on security.

"How do most closed source SaaS figure out a way to prioritize security ... " - they prioritize it only so much that a) it does not affect their reputation too much (if competition exists), b) to limit their own operations costs (bugs can be costly for the provider too) c) that security is not so bad that the customer might sue for gross negligence (which might be a way to sue around the limited liability in the terms and conditions of the SaaS) and d) there can be compliance requirements (like FedRAMP, C5:2025, ISO 27k1, ....)
Nguồn:: Is a closed source SaaS more secured, especially when the team is overwhelmed?