Investigation is a huge pain, and the scope of the problems sometimes makes the process cumbersome and demoralizing. Let's take an example: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947

For your app to be vulnerable to this, you have to

* call `translate` from a controller
* use a translation key that ends in "_html"
* use a translation default where the default translation text is untrusted text
* be missing the specific translation
* Trick a victim in to seeing this