All products will have defects that are not CVEs, hopefully by a large margin.
But every sufficiently complicated product will have defects of this type, and a higher probability of defects does increase the probability of CVEs.
So, it follows in practice, as can be seen by looking at CVE rates from projects with high defect rates (web browsers, kernels, ...) vs projects with low defect rate.
Note that defect rate differences can be caused by multiple things.
But every sufficiently complicated product will have defects of this type, and a higher probability of defects does increase the probability of CVEs.
So, it follows in practice, as can be seen by looking at CVE rates from projects with high defect rates (web browsers, kernels, ...) vs projects with low defect rate.
Note that defect rate differences can be caused by multiple things.