The rise of vibe coding has all the hallmarks of a technology gold rush. With AI tools now capable of generating websites and applications from a simple prompt, businesses are being sold a seductive vision of faster delivery, lower costs and less reliance on specialist developers. Beneath that hype, though, a real security problem is forming.
Recent research from Escape.tech examined more than 5,600 publicly deployed AI-generated applications and found over 2,000 high-impact vulnerabilities, alongside hundreds of exposed secrets. Building software has never been easier. Building software that is secure, scalable and maintainable over time remains as hard as ever.
At Rogerwilco, we see this firsthand. AI-generated code is increasingly common in websites and applications that clients ask us to maintain or improve. It usually works, doing what it was designed to do, but it often lacks the security controls, architectural discipline and long-term maintainability a business-critical system needs.
This is not a criticism of AI. These tools are genuinely useful for prototyping and accelerating development. The problem starts when a working proof of concept gets mistaken for a production-ready solution. When we run security scans across inherited code, vibe-coded sites tend to light up like a Christmas tree, with issues flagged across the codebase. Often, it is faster and safer to start again than to fix what is there.
Why the platform underneath still matters
For most businesses, a website is far more than a marketing asset. It stores customer data, integrates with internal systems, supports revenue generation and often serves as the primary point of contact with customers and stakeholders. These deserve the same governance, security and ongoing maintenance as any other critical business infrastructure.
This is where mature platforms like Drupal continue to prove their value. While it powers a relatively small share of the web overall, Drupal remains the open-source content management system of choice for many government departments, universities and financial institutions, all organisations with the least room for error.
On 20 May 2026, the Drupal security team issued advance notice of a highly critical update to its core architecture. As is standard practice, organisations were given a release window rather than technical detail, so attackers could not get ahead of the patch.
That window fell at 7pm South African time. We had 21 enterprise client sites to secure. As each patch landed between 7pm and 11pm, our team reviewed, implemented, peer-reviewed and tested it within 45 minutes. Our environments turned out to be largely unaffected by the underlying vulnerability, but that was never the point. Every site was secured before attackers had a realistic opportunity to exploit the vulnerability.
That response was not luck. It was the product of established systems, proven processes and a team that treats security as a discipline, not an afterthought. Security is not about reacting once something goes wrong. It is about being ready before it does.
AI is a tool, not a strategy
None of this is an argument against AI in development but we feel its most valuable uses sit outside code generation. Documentation, testing, troubleshooting and knowledge-sharing consume a significant share of any project’s lifecycle, and that is exactly where AI is proving its worth.
At Rogerwilco, AI-assisted documentation has lifted the quality and consistency of our project records. AI is often better at spotting bad code or security issues than at writing clean code itself. Visual testing, traditionally one of the slowest parts of quality assurance, now moves much faster, freeing developers to focus where it matters most.
Used this way, AI sharpens the judgement of an experienced team. Used as a substitute for expertise, architecture and governance, it creates new risk rather than removing it.
Choosing the right foundation
Out-of-the-box website builders have their place; they get something online fast, and for the right use case, that is genuinely valuable. But Drupal is a different kind of decision, an investment in not having this same conversation again in two years. Think of it as the difference between building a property you can extend as you grow and renting a pop-up tent you will inevitably outgrow.
The recent advisory should not cause alarm. It is a reminder to ask: who is responsible for monitoring your platform? How quickly could you respond if this happened tomorrow? Do you actually have visibility into your own digital risk?
Too many organisations have traded long-term digital thinking for template-driven shortcuts. Security is the most visible symptom. Originality, resilience and sustainable growth all require investment in doing things properly rather than simply copying what everyone else is doing.
AI can accelerate development. But speed should never be mistaken for safety. For businesses that take security seriously, good architecture will always matter more than good vibes.
