And to answer your question more directly, the flour itself causes the damage. The vulnerability is only damaging if a malicious actor takes advantage of it.
Food safety practices only became standardized after regulation was enacted.
> pre-approved and comparatively trivial recipes
That sounds like most software development.
I think you are unwittingly making the case that software development is a lot like food production. Software development is only beginning to get regulated because it is only now reaching the level where it is hazardous to public safety, unlike food production which reached that a long time ago.
Because you actually can standardize them. Software isn't so simple.
"> pre-approved and comparatively trivial recipes
That sounds like most software development."
Lol no that does not. Why wouldn't high school graduates or drop outs work in software instead of at fast food? The number of languages, frameworks, patterns, etc are much more complex than basic sanitation and time/temp/acidity.
It isn't simple due to choice, not due to the nature of software. Software is relatively simple compared to other meat-space engineering disciplines. Software engineering is an relatively immature engineering discipline, but it is implicated in enough safety critical systems these days that it is about time to start maturing.
It will be painful but I welcome more software regulatory standards, because it is necessary for our trade to mature.
For example, one might require some software to undergo various degrees of planning, testing, analysis, support, documentation, etc.
Right now, the amount of planning, testing, analysis, support, and documentation required by law is generally zero. This might be fine for someone's hobby project, but it is not okay for software that human lives depend on.
How does someone know that a particular application is something lives depend on? Either your lawyer, insurance company, or regulator explicitly tells you.
To make an analogy to the physical world. We have a company, B, that makes bolts, they publishes the characteristics of that bolt but do not certify it for any particular use.
Company C makes cars and decides to use bolts form company B. It turns out that is not a good choice since company B bolts do not have the characteristics that are need to use in a car.
The CRA from the a simple reading used in the discussions here[1], holds company B responsible for company C using the bolts in a way where peoples lives depend on it.
This sort of reuse can be much more common in software than it is bolts for example and just like company B did not control how company C used their product after buying it open source developers do not control how others use there software but CRA might make them liable for it.
This does not make sense to me, company C should be liable for their choice of bolt, company B should be liable for any false or incorrect claims for the characteristics of their bolt. Company B should not be held liable for the misuse of their bolt by company C which is what the CRA seems to do.
[1] >>38788919