I think there's another sort of binary thinking that's even worse: thinking that systems are either "secure" (because no bugs have been identified) or "insecure" (because a serious bug has been found).
In reality, all systems contain bugs, but the presence of a single bug shouldn't be enough, on its own, to render a system insecure: defense in depth should ensure that a system remains secure even in the presence of minor bugs in any one layer.
In reality, all systems contain bugs, but the presence of a single bug shouldn't be enough, on its own, to render a system insecure: defense in depth should ensure that a system remains secure even in the presence of minor bugs in any one layer.