Bull Sh*t.
There are two axioms that every professional programmer knows. For every offense there is a defense that will prevent it. Defences are always invented after offenses are created.
To program a totally secure program the programmer has to invent all possible attacks and then invent defenses that will prevent all possible attacks.
An attacker has to find one attack that has not been defended against.
The attackers job is several orders of magnitude easier than the programmers.
No, it's because they either have:
a) No job
b) No life
c) Both a and b