Since this uses Django for examples and mentions Bandit as an automated option for finding vulnerabilities, are there any others that people would recommend?
I always thought a lot of the biggest hacks were done by insiders, or with insider information. I know there's a lot you can hunt for out there. But being part of the team that built something of interest, knowing what is exploitable, could be a big temptation.
Depends on what you mean by "biggest", but in my experience the most common cause is lax security practices, mainly not performing security updates quickly enough. A business doesn't want to spend extra on website maintenance, so sites get neglected, sometimes for years.