There’s a chain in a bug - a threat exploits a vulnerability that causes a problem to a victim. Or something external to the product (threat) happens and because there’s a vulnerability (something in the product that permits problems to happen under certain conditions) then it causes a problem (something the product does that it shouldn’t) to a victim (someone who feels the impact of the problem).
“We break software” means “We create the threats that expose vulnerabilities”
“We get broken software” means “The software has vulnerabilities created by our clients and never by us, we just find them”
This is why both sides of the argument are certain that they are right. It’s the blue and gold dress all over again.
If you say “testers break software” then you take on some responsibility for the fact that you broke it - you don’t look like a sceptical investigator reporting on a situation you look like a dick with a hammer cocking up everyone’s work.
If you say “it’s broken when we got it” then you look like a dick that’s shifting that blame to your own test clients.
So say neither, it’s a false dichotomy. Stay away from the work “break” in a software-at-work context. It doesn’t even make sense - what would it mean for software to “break” anyway? The word’s a shortcut to too many meanings (meets quality standards, meets requirements, capable of working, has a bug, etc) to be useful in professional communication.