You are right. No one is talking about absolute 100% security here. The top 25 is the most egregious and easily remedied defects. These are the easy ones folks. Ones we know alot about and know how to prevent.
We need software to be free of them because organizations are under attack through application vulnerabilities. Has anyone heard of Google/Aurora or Heartland Payment Systems? Both organizations were breached through software defects.
When the environment changes software needs to change. You wouldn't take a regular car off road into a military usage and expect it to perform well. We are expecting the software process to not change (too expensive, too hard, 100% security is impossible) yet perform well under constant scrutiny and attack.
We need to change how we build software and having customers set security requirements is the best way to do it.