it seems obvious that as long as there's no disclosure there's no real need to fix things. audits mean nothing if suddenly things can disappear from The Scope and appear somehow mItIgAtEd.
Strictly speaking audit is the wrong word for what I did (I'm not a certified auditor). I don't want to say too much in case I break some confidentiality agreement. Though I'm curious how that will be argued away, or if they get the manufacturer to get their shit together and build a new firmware...
