Can you have “more secure software” and still have greater risk?

Answer: Yes.

Here’s how: The software element of the risk equation only accounts for vulnerabilities, it doesn’t address threat. So we can reduce our vulnerability level and therefore have “more secure software” in the midst of increased risk. This manifests itself in a higher number of incidents, which is the outcome of the threat and vulnerability components of risk.