Only a small fraction of vulnerabilities are found because only a small fraction of code is analysed. Vulnerabilities are not discrete entities, they almost always fall into a class of vulnerability that is known and some of these classes are easier to test for or exploit. It is likely that two people will come up with the same or substantially similar vulnerabilities because easiest will be tried first.

In terms of risk, the probability of compromise is 1. The statistics come from how severe and how frequent the compromises are. This results in a minimisation methodology where as long as the overall loss remains at an tolerable level then the leakage is accepted. If only 1 person exploited the vulnerability, it would never be known. If a gang exploited the vulnerability, it would eventually become known, police would be called, they would eventually be caught, and the vulnerability would be found out then patched in the next release or two. If the method of exploitation is made public then the overall level of loss may quickly become uncontrolled. This gets fixed quickly.

Security is not the opposite of shoddy design. While a good design can remove and reduce vulnerabilities, security can never be perfect. The best that can be hoped for is striving for excellence in design and implementation and an iterative approach to resolving problems.