The complexity and interdependencies of deployed software systems has grown to the point where we can no longer make confident predictions about the security properties of those systems from first principles alone. Also, it is very complex to state correctly all relevant assumptions that underlie proofs of security, so that attackers constantly seek to undermine these assumptions. Complexity metrics generally do not correlate with vulnerabilities and security best practices are usually founded on anecdotes rather than empirical data. In this paper, we argue that we will therefore need to embrace empirical methods from other sciences that also face this problem, such as physics, meteorology, or medicine. Building on previous promising work, we suggest a system that can deliver security forecasts just like climate forecasts.