How can security vendors reduce their own attack surface?

Trend Micro is the latest in an increasingly long list of security vendors found wanting when it comes to securing their own products. The Trend Micro 'Password Manager' vulnerabilities which would enable hackers to execute malicious code and the contents of the password vault, were uncovered by Google Project Zero researcher Tavis Ormandy. Trend Micro moved quickly to fix the vulnerability, working with Ormandy to identify the flaw and then creating a patch. ActiveUpdates in the product can't be turned off which means that when the update was rolled out, it was quickly uploaded to all customers. By their very nature, antivirus and security solutions have a large attack surface; they offer lots of layers of protection and are comprised of myriad component structures. It goes without saying that there is a lot of code, often running with high privilege, that has the potential to be flawed.