That's not true. Testing is reinforcement of that competence and that good design, it does not replace it. Relying on penetration tests to secure your systems has an implicit dependency on the completeness of those tests--and putting armor over the bullet holes isn't how you keep a plane in the air.
A pentest reports findings, and then regardless of how incompetent the programmers are, they are required to fix them. Then a retest happens, which verifies that the findings were fixed.
I've seen a trading application go from "typing ' will result inn SQL injection" to "basically bulletproof" due to this process.
Devs can become remarkably competent when their smugness is wiped away by finding some crucial vulnerabilities they overlooked.
I know it's tempting to believe that the design part matters, but it's also tempting to believe that a doctor's emotional support matters just as much as washing your hands.
Do a stint in the pentest industry. It's eye-opening. (Look into my eyes. I've seen things. Terrible... things...)
