It really depends on where you're starting from. If it's well-written code then it's not nearly as drastic. Claude found quite a few problems in our code but none of them were of any impact because it's constantly run through a large range of SAST tools, fuzzers, Valgrind, and so on, so it was all in things that those couldn't discover like code paths that were never exercised, irrelevant API contract violations, that sort of thing, the sort of stuff that was wrong but wouldn't result in externally-observable behaviour which is why fuzzing, valgrind, and so on hadn't turned it up.

OTOH if you've got it-compiles-ship-it code then the AI will turn up about ten thousand issues which will overwhelm both you and the attackers, so both sides will tell it to only focus on exploitable stuff and fix or exploit that depending on which side you're on. This is how many SAST tools are used, first time you run it you get 8,000 problems reported so you declare that the baseline and only fix new stuff that turns up.

There's safety in numbers, even if the numbers are bad.