One in a million happens quite often if you're processing something like ~100k requests a second.

In fact I agreed with the parent and just posted a tongue in cheek remark.

One in a million literally means that at ~100k requests a second it will happen once every 10 seconds.

But it's extremely unlikely when you're processing 10 requests a week, such as might be the case for the web server in a consumer-grade router.

It's amazing how skilled blackhats are at converting "rare bug that doesn't affect the UI" into "massive DDoS cannon".

And you can see how risk analyses by senior engineers with tons of embedded experience who are used to working with systems that are not networked leads to problems when their systems are later networked.

...by hundreds of thousands of customers.

One in a million isn't just a typical statement of probability, it's a colloquialism used to refer to things that never happen in practice. It's highly misleading to use in the context of computers which, due to their natures, have one in a million events occurring constantly.

My comment was tongue in cheek.