Any patch you ship lands on a moving treadmill of releases and deps, with new code stapled onto old junk and old assumptions leaking into the next version. Attackers can run the same models you do, so the gap between finding and fixing bugs shrinks until your team are doing janitorial work against a machine.

"Perfectly secure" software is a philosophy seminar, not an outcome. You can cut the bug pool down a lot, but the tide keeps coming and the sandcastle still falls over.