They look everywhere, I think its a case of survivor bias where we only see when they succeed (via published bugs). We don't hear about the thousands of times that they failed to find anything.
This. Very much this. It also depends on the scope.
Eventually you'll find something if you're auditing a product, because you'll start at the application interface layer and work your way down.
No issues with the design of the application (this is end-game 50-75% of the time)?
OK, what about the libraries you've used.
OK, what about the framework you've built on.
OK, what about the web server you're running.
OK, what about other services on the web server you're running.
OK, what about the operating system you're running.
OK, what about the people who administrate the services you're running (this is usually end-game 98% of the time - it's the "auto-win" card if it's in-scope).
And all between the above, you can leverage different holes you found to find more holes in the previous and future steps you've taken.
Eventually you'll find something if you're auditing a product, because you'll start at the application interface layer and work your way down.
No issues with the design of the application (this is end-game 50-75% of the time)?
OK, what about the libraries you've used.
OK, what about the framework you've built on.
OK, what about the web server you're running.
OK, what about other services on the web server you're running.
OK, what about the operating system you're running.
OK, what about the people who administrate the services you're running (this is usually end-game 98% of the time - it's the "auto-win" card if it's in-scope).
And all between the above, you can leverage different holes you found to find more holes in the previous and future steps you've taken.