When an airplane crashes due to a design failure, thorough investigation often yields a specific design element or combination of elements acting as a root cause; and we have a much broader range of corrective actions available, including modifications to the design for improved redundancy, fault tolerance, higher likelihood of correct manufacture, lower defect rate, easier cockpit control, etc. We can also make process changes, like modifying the maintenance schedule, updating the maintenance checklist, pre-screening critical components for correlated early signs of defect, updating pilot training manuals, etc.
There are also plenty of cases where aircraft crashes occurred due to malfeasance. In rare cases, there might be a design mechanism that can prevent malfeasance, but aircraft are overwhelmingly designed to be built, maintained, and operated by people who aren't trying to misuse them for mass violence (sort of like malls, or public schools). But there's legions of process controls implemented on the hiring and training of the people directly involved with aircraft manufacture, maintenance, and operation.
And yet, Boeing still made a plane that dropped out of the sky twice. And that wasn't even necessarily malfeasance - a good chunk of it can likely be chalked up to second or third order effects of cost saving measures and siloed design teams. I guess you could make an argument for malfeasance, but something something incompetence indistinguishable from malice... in any case, the technical analysis of the design problem is totally solved, but what about the process control by which the design came to be flawed in the first place? I genuinely don't know whether they've modified or added to their process controls to prevent the same design flaw, let alone others not directly related.
Scores of new process controls were put into place in the wake of 9/11 (which incidentally resulted in about the order of magnitude of casualties observed in all US mass shootings since (I think? There's a few different numbers floating around, depending on the threshold for which a mass shooting is recorded)). Many additional "process controls", if you'll allow the tortured reading of the concept, were implemented outside of aviation - a multi-trillion dollar double decade war campaign, passenger luggage and body scanning, and mass surveillance systems, to name a few. 20 years later, and none of this prevented a pilot from doing some unauthorized loops in the Seattle sky before crashing, and very likely nothing except for a lack of killing intent prevented him from flying his plane into a building downtown. Were the process controls implemented after 9/11 effective? I genuinely don't know the answer. Maybe aviation terrorism just has a low base rate to begin with. Maybe I'm uninformed, and our process controls have foiled numerous attempts at terrorism. It's hard to tell with rare events.
Unlike with engineering design work, where you can deduce real responsibility for failure and synthesize a test case to prove the soundness of a design, debugging complex and rare psychological or sociological phenomena is substantially more inexact. Mass shooters are a statistical anomaly against the population as a whole. People are aware of process controls and can deliberately plan subversion tactics. The snarled mess of genetic predispositions and environmental insults that drive someone to terrorism are not guaranteed to be the same across multiple people, especially at the long tail of the distribution. Preventative policy proposals can be misguided or undermined for numerous unrelated reasons, never achieving the desired effect.
None of this is to say we shouldn't try to find and implement effective process controls on mass violence... I just hope to offer an explanation why mass violence can't be approached with the same rigor as human-designed engineering systems with any predictable return on investment.
