Quantitative analysis is a flawed concept.
…
As a broken record, I say again that our persistent assumption of linear or quasi linear causation is fundamentally flawed. It may make regulators happy, it makes QA auditors and FOIs/ASI's happy, but the problem is the world doesn't work that way.
Well, it's better than what was in use before and there's currently no viable better alternative.
Even with the current process, you can go down a rabbit hole of what-ifs and spend a lot of time and money for no added safety.
I wish there was a magic process, but there not. Only experience will find the missed cases. Normally they are found and mitigated with little fanfare, much like a patches CVE before it's exploited. But there will be the occasional issues found with spectacular results, like a zero-day exploit that affects millions.