[AmericanChopper]

Even poorly designed business rules create huge number of security issues. The whole stack could be perfectly bug-free and you’d still get those.

[AnimalMuppet]

It can get worse. How about deliberately designed features that are security bugs? I'm looking at Microsoft's "sure, we'll execute any email attachment that the user clicks on, because that's more convenient!". Implementation language wasn't going to save you there...

[hnick]

Credit card numbers as customer identifiers on printed and emailed documents? Seen it.