I did not realize how poorly the general "tech savvy" public apparently misunderstands software security.
Auditing is closer to an art than a science. For any real software, no two auditors will find the same set of bugs.
Think of it as similar to QA. If you write some complex software from scratch, and give it to 1 tester to do one pass on it, do you expect every bug was found and fixed?
Like security audits, you'll still be finding bugs for years, or in some cases even decades, that were sitting there all along.
