Here's a thought. If you look at large software providers code base, Microsoft, Oracle or Cisco (even though they're known as a hardware company all those switches and routers run software), you'll see that they've had vulnerabilities found in them, and for that trio a fair number.
Well now think about all the new vendors that spring onto the market with each new trend in the security market. This year it's NAC, in previous years it's been IDS, A-V and Anti-Spyware, Endpoint security... the list goes on.
Now here's the thing, I've never in reading the websites or promotional literature for security product providers heard them say anything about their development practices or methodologies, which need to be top notch to reduce the chances of vulnerabilities cropping up.
Obviously security flaws in any software can be bad.. but it your security software isn't securely developed you're in a whole load of trouble.
So next time you're going to buy some security software, don't just ask about all the whizzy features and how compliant it'll make you. Ask about their development practices, what code reviews are carried out, do they get external parties to validate their code, that kind of thing...