This study investigates the long-term evolution and stability of security technical debt by analyzing the time series of CVE vulnerability remediation across Red Hat products and components from 1999 to 2024. To address the limitations of linear models in capturing complex remediation dynamics, we employ piecewise regression and structural break detection. Results reveal that overall vulnerability accumulation follows a nonlinear trajectory with multiple statistically significant structural breaks; most product lines do not exhibit sustained acceleration in deterioration, and several show evidence of stabilization in security debt—diverging markedly from general vulnerability trends. This work provides the first empirical demonstration, on an ultra-long-term, industrial-scale dataset, of the phased convergence behavior of security technical debt. It establishes a data-driven paradigm for designing adaptive security maintenance strategies and optimizing resource allocation in large-scale software ecosystems.

Motivated by software maintenance and the more recent concept of security debt, the paper presents a time series analysis of vulnerability patching of Red Hat's products and components between 1999 and 2024. According to the results based on segmented regression analysis, the amounts of vulnerable products and components have not been stable; a linear trend describes many of the series well. Nor do the amounts align well with trends characterizing vulnerabilities in general. There are also visible breakpoints indicating that the linear trend is not universally applicable and that the growing security debt may be stabilizing.