This paper identifies a “dual vulnerability” paradox in Vision-Language Large Models (VLLMs) under jailbreak attacks: they are simultaneously highly susceptible to adversarial exploitation yet overly sensitive to simple defenses—leading to defense saturation and compromised reliability. The root cause is widespread “excessive caution” in existing defenses, i.e., high false-positive rates on benign vision-language inputs, which erodes practical robustness. Method: We formally characterize this security paradox and introduce “excessive caution” as a novel conceptual framework. We propose LLM-Pipeline, a lightweight, pre-deployment gatekeeping mechanism that integrates modular vision-language processing and adaptive thresholding. We further conduct vision-language attribution analysis and statistical consistency testing across benchmarks. Contribution/Results: Our approach significantly improves detection accuracy and adversarial robustness. Empirical analysis confirms the visual modality as the primary vulnerability source. Moreover, we expose spurious consistency flaws in mainstream jailbreak benchmarks—indicating potential evaluation distortion and urging caution in benchmark-based security assessment.

The vulnerability of Vision Large Language Models (VLLMs) to jailbreak attacks appears as no surprise. However, recent defense mechanisms against these attacks have reached near-saturation performance on benchmark evaluations, often with minimal effort. This emph{dual high performance} in both attack and defense raises a fundamental and perplexing paradox. To gain a deep understanding of this issue and thus further help strengthen the trustworthiness of VLLMs, this paper makes three key contributions: i) One tentative explanation for VLLMs being prone to jailbreak attacks-- extbf{inclusion of vision inputs}, as well as its in-depth analysis. ii) The recognition of a largely ignored problem in existing defense mechanisms-- extbf{over-prudence}. The problem causes these defense methods to exhibit unintended abstention, even in the presence of benign inputs, thereby undermining their reliability in faithfully defending against attacks. iii) A simple safety-aware method-- extbf{LLM-Pipeline}. Our method repurposes the more advanced guardrails of LLMs on the shelf, serving as an effective alternative detector prior to VLLM response. Last but not least, we find that the two representative evaluation methods for jailbreak often exhibit chance agreement. This limitation makes it potentially misleading when evaluating attack strategies or defense mechanisms. We believe the findings from this paper offer useful insights to rethink the foundational development of VLLM safety with respect to benchmark datasets, defense strategies, and evaluation methods.