But the properties one really wants to
verify are much more abstract, such as "does this piece of software
land my plane safely?".

It is enough if this piece of software lands the plane safely in 99.999% of cases. There is no point for the further improvement if the insurance premiums and the other possible losses are already lower then the cost of the development and testing.

Vladimir Vassilevsky
