Sure that works for a restricted set of vulnerabilities. But generally security vulnerabilities don't stem from bad protocol implementations, but from misconfigurations of generally-functioning software, and bad choice of policy. (For example, this vulnerability was just an extra hardcoded admin account in the router's web console.
If I know what the state machine/protocol looks like, I can have a better idea about how much stuff should be present.
For example, if the vendor claims that the product is limited to a regular grammar (a “plus” for security), but the implementation contains extra stuff in the data section, then an audit can flag it since a finite state machine should (theoretically) only need code.
