A key point is that when you do things right, doing things correctly results in security. OpenBSD's documented audit procedure underscores that. They don't look for security holes per se. They look for bugs and fix them. Later on they find out that at least some of their bugs were security holes. And even if they weren't, well they at least got rid of some bugs... :-)