1. An ordinary user has very limited access to your server's internal logic, so it is often hard to know, without actually attempting a harmless exploit, whether some suspicious-looking code is actually a bug and is actually exploitable. Your suggestion is impractical unless the sysadmin has the time to deal with people pointing out false positives rather than real bugs.
2. After a sysadmin finds a security hole in his system, he can avoid cleaning up everything if the logs can be trusted and they say the hole has not been exploited. Now, if the trusted log instead says that the only exploit to your SQL injection bug is that someone did a "CREATE TABLE this_is_a_security_hole ...", this does not take much more effort to deal with.
3. s/your house/the government building containing everyone's personal data. A security hole may affect other people more than it affects you.