Why AI-generated code is insecure by default
The AI optimizes for the you gave it, and your prompt almost always says "make it work," never "make it safe." So it produces the shortest path to a working feature. The shortest path is usually the insecure one: string-concatenated queries, an (one of the addressable doors into your app — a single the app answers requests at) with no permission check, a pasted inline because that's the example it learned from.
It gets worse, because the AI learned from the entire internet — including a decade of tutorials and abandoned repos that were themselves insecure. Insecure code is more common in its training data than secure code, because secure code is harder to write and rarer to post. When you ask for "a login form," you're statistically likely to get the average login form on the internet, and the average login form on the internet has problems.
The AI also has no sense of threat. A human building a file upload feels a flicker of worry — what if someone uploads something nasty? The AI feels nothing. It writes the handler with the same confidence whether it's airtight or wide open. There's no hesitation, no "hmm, this part makes me nervous." You have to supply the nervousness yourself.
The takeaway isn't "AI code is dangerous, don't use it." It's that "it works" and "it's safe" are two different questions, and the AI only answers the first one unless you force it to answer the second.