if OpenSSL had 5 pages of bugs so far... and was widely used in an ecosystem where the source was there, just imagine the nightmare of closed source projects...
patching 100 bugs on average introduces 3 new bugs. now i know bugs != security vulnerabilities. but bugs are why people complain about software stability.
also a 'vulnerability' bug has a black market value that is always going to be higher than bug bounties. however an old exploit has the added value of 'reporting' it after a new vulnerability is found and the old one is blamed perhaps by news of this 'old' vulnerability. it's a revolving door problem. back in 1997 i knew how to 'fix' broken open source ports tree applications, because i used freebsd and it was very buggy (though less buggy than the windows 95 machine i had).
as i see it the problem is marketing. to get people to buy computers they promote them as doing a lot of things that they can only just barely do. and often the code base is filled by people who don't care about quality and comprehensible coding. and for for profit they often take steps to make the code illegible as a so called security through obscurity (which never works for more than a few years).