True, there are always bugs and security issues, but security issues tend to ramp even quicker than general bugs up from trivial to find to very, very difficult to find, so finding bug n+1 may be substantially harder than finding bug n.

Given a reasonably competent development team, you can usually make a first pass and find quite a number of low-hanging fruit security issues. Everyone makes mistakes, especially when under pressure to get a product out. Once those are gone you can use fuzzing and/or static analysis type techniques to find another set, but after that you get to the point where the bugs start getting quite obscure and require a fairly deep knowledge of how the system works so you can start stringing multiple problems together to get to a real security issue.

Of course this can be offset somewhat by the fact that software is usually a moving target, so if you're security testing a live, active codebase the developers are likely introducing new issues all the time, though hopefully at a reduced rate as they learn from their previous errors.