Why Security holes appear in masses

A lot of people know the annoyed feeling, when they need to push the third security fix to the same stuff in just a few months. Thats also around the same time, when news portals start with topics about how many security holes this software has, which results in people thinking it is insecure as a whole.

This comes from a increased awareness and has also some positive effects on the project. With every found vulnerability the interest of some people gets stronger, leading them to look more or in different ways over the code of the project.

One Example for this is OpenSSL, where people found the I think now third possible point for a downgrade attack.

Another Example I observed more direct is in Magento, it had recently a vulnerability regarding the admin login. And while this got fixed, people investigated a bit more and found three(again, seems to be a magic number) possible ways to workaround the obfuscation of the admin path.
In my Opinion only a small security problem, as obfuscation itself is quite questionable in its value regarding security, but thats another story.

So if you work with something, and you need to update/patch because of a security problem, await another one during the next weeks/months. And if you had two or three, be sure there will come some more the next months.
This can extend to nearly a full year, PHP had this once. But after this you get a very relaxed time again with no disturbing high priority security patches.