So one thing people don't have any scope of measuring - (maybe as a set diagram finite states?) - is the difference between two parsers for the same protocol. Ten years ago a lot of the security community had a discussion about "LangSec" which turns out to have been entirely correct in retrospect.
NCCGroup's recently released analysis of the F5 bug is a key example of this principle in action:
Most people look at HTTP Desync as simply using Content-Length confusion - figuring out ways to make one request look like it's not the same length, and using that for SSRF or XSS or various other attacks. But ANY DIFFERENCE IN THE PARSERS leads to critical level attacks.
Of course, what this means is that you need to have different emulated parsers for each web server behind you depending on if they are Apache/IIS/NGinx . . .
-dave