Something interesting did happen around that time. Looking at all CVEs as an aggregate, it appears 2008ish is about when there was an inflection, perhaps a shift from OS to injection/validation/appsec?
I left msft in 2007 and at that time they were in full "security is important" mode. Due to backcompat it's of course hard (impossible?) to remove local exploits, but RCE is a lot harder. For example I don't know the last time I heard about a windows RCE. Edge/IE sure, but not windows. Windows Defender is a very good security product, and Windows Update "just works".
Did anyone read this and not laugh out loud?
"These hardware bugs turn that idea on its head, suddenly the whole ghost in the shell hacker style dream is again a possibility"
No, it was always a possibility.