Corporate security is beyond merely making sure software itself is secure.

Phishing for example requires no security vulnerabilities, and is one of the primary initial attack vectors into a company.

You need proper training and the right incentives for people to actually care and think before they act.