Windows XP and Windows 2003 partial source code is out there on github. With such a rich corpus of known vulnerabilities in those OS'es and source code availability, surely there should be an amazing amount of SAST/semgrep/codeql rules that take as input existing known exploits and then do rules that find similar things, yet I don't seem to be able to find such projects

Surely, these two code bases should be the foundation of most good CS/cyber courses - like students finding new bugs, etc.

Is source code junk?