That's a false dichotomy. I'd prefer to have people constantly test something for security vulnerabilities and find nothing because the code was thoroughly audited and shown to be secure before it was released.