Application security is like physical security of a building. If you leave a window open bad actors can get in easily.

Instead of open windows, software developers frequently code software in ways that can be easily manipulated, or that introduce easily exploitable vulnerabilities.

Companies hire security guards to go looking for open windows and hope they discover them before bad actors do.