"And now we know the binary search is bug-free, right? Well, we strongly suspect so, but we don't know. It is not sufficient merely to prove a program correct; you have to test it too. Moreover, to be really certain that a program is correct, you have to test it for all possible input values, but this is seldom feasible. With concurrent programs, it's even worse: You have to test for all internal states, which is, for all practical purposes, impossible."This is exactly the reason why we have so many problems comprehensively scanning complex web applications. Where the descrete software components exist on many different servers. The state is always changing. The code is always changing. Everything is always changing.
"Careful design is great. Testing is great. Formal methods are great. Code reviews are great. Static analysis is great. But none of these things alone are sufficient to eliminate bugs: They will always be with us. A bug can exist for half a century despite our best efforts to exterminate it."
This is another reason why I've been a heavy proponent (as a practitioner and a vendor) for pen-testing websites like a hacker would. Because a hacker only needs to find that 1 bug to ruin your day, you have to test even more thoroughly and intensely. The focus must be to find all vulnerabilties all the time, its the only way to make a difference.