Case in point, the NASA shuttle avionics system. CMMI level 5 certified software development program, track record of 2 Sev-1 defects per year during development.
Timeline Analysis and Lessons Learned (see page 7/slide 6) You'll find that there were hundreds of unknown latent Sev-1 defects (potentially causing loss of payload and human life) and even ~150 defects 15 years after the program started.
The question isn't whether your team is capable or willing to fix the issue, you must acknowledge that there is nearly 100% certainty that there are unknown vulnerabilities in any software you write. The question goes back to whether a bug bounty program will ever cross the inflection point of a ROI chart.