> It is also not proof of work because of asymmetries between attacker and defender. An attacker only needs to find one exploitable issue before the defender finds it and patches it, while the defender eventually needs to find all issues - and even then can't really be sure they remediated everything.

It depends. Some classes of vulnerabilities can be excluded by construction. This is usually seen as too hard to be practicable, but AI potentially changes this.