> When I fix a security vulnerability, I'm not just checking if the tests pass. I'm asking: does this actually close the attack vector?

If you have to ask, then you'd be better putting that effort into fixing the test coverage.