A fantastic OpEd piece in the New York times by a former IT staffer discusses why the SEC’s initial thinking that testing all code, is not feasible.
I was involved in one of these debacles before. An online banking system was updated resulting in customer viewing the last page viewed by the last customer who logged onto the online banking system. I too thought better testing was the answer. As I sat down with internal and external IT folks, I learned the myriad of reasons why it just wasn’t possible to put too much faith.
In the end we increased our testing resource and broadened what was tested, but had to find ways to mitigate the related risks that occurred after an incident such as this.