Human error in coding forms the biggest threat out there on the Internet.
Attackers and cybercriminals do not form the biggest threat, the biggest threat is formed by ignorance and arrogance and incompetence even or just driven by cost-effectiveness (keeping RC4 on because it is 3.5 times cheaper in operational costs despite of the fact it is far less secure).
So we have become better in bug hunting but we often have not got the time to do it. Code is presented as fit to use, while it has not as yet been thoroughly tested. Loads of code has not been upgraded and patched even or left code is still in use, while developers do no longer maintain it.
Then there is a whole area of insecurity because of misconfigurations and wrong settings or incompatibility in the wrong combination of security settings.
I am not allone with this view, the founding father of the Interwebs has this opinion:
https://www.washingtonpost.com/blogs/post-live/wp/2016/05/18/meet-father-of-the-internet-vinton-g-cerf/When we state code is retirable, it does not mean it is malcode per se, it has been followed up by a more secure version.
What I presented earlier in the thread are just code that has not been tested properly, code that comes undefined at a certain stage or never was properly checked and ascertained often while people do not want to spend either the time or the money.
Let us keep up following them coders like the lice in the fur of the software,
and see to it they feel many an itch from bugs undetected.... polonus (volunteer website security analyst and website error-hunter)