Just one comment for now as I put some more thought into the topic:
“The change that breaks static analysis is the move to dynamically typed languages”

I don’t necessarily agree with this. Just because commercial SAST do not currently cover any of these languages today doesn’t mean that they won’t in the future. I understand that inspecting dynamic languages is more difficult because you don’t have the characteristics of the type system to lean upon. However, certain tools such as Ruby Flog measures assignments, branches, and calls. Some dynamic languages like Groovy output Java bytecode. You may also see a move to other testing methods such as unit and module testing for security properties, particularly effective when combined with code generation and metaprogramming principles.