I agree it's hard to draw a bright line, but I'm personally comfortable erring heavily on the side of defect for security issues.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.
The point is, it doesn’t matter. The only thing that matters is how consumers feel about whether the company’s reaction makes them feel like they want to trust that company with their next purchase.
I'd be willing to agree that certain security issues might not constitute a manufacturing or design defect. If a thought-to-be-secure encryption was cracked tomorrow, that doesn't make products using it defective at the time of manufacture.