Use libraries and frameworks that make it easier to avoid introducing weaknesses.

The vulnerability risk isn’t just the sum of all the unfixed security bugs in the code of a project installed, it includes the recursive sum of all the security bugs in all the sub-projects (libraries and frameworks) on which the application depends.