I assume cloud providers have hundreds of security issues that are found internally over the course of a year. Requiring reporting would certainly be a step forward and testing in production for software would maybe be seen as what it is, an engineering anomaly and failure to perform due diligence.

That’s fair. I suppose I would aim for a distinction between minor and major flaws. What would be a reasonable threshold?

You are going to be off by at least an of magnitude. You'd see multiple reports per day for a diligent company.