Is finding security holes a good idea?
Eric Rescorla: Is finding security holes a good idea? actually analyzes the data on bug discovery. Conclusion of (the first draft of) the paper:
If finding security defects is a useful security activity, then it should have some measurable effect on the software security defect rate. In this paper, we have looked for such an effect and only found very weak evidence of it. In the best case scenario we are able to make, the total defect count has a half life of approximately 3.5 years. However, our data is also consistent with there being no such effect at all. In either case, the evidence that the effort being spent on bug finding is well spent is weak.