A vulnerability can be anything from “Dude behind the keyboard never set a password” to “Something fundamental to the hardware allows for exploitation.” The former is by far the most common exploit, but the latter does exist and everything in between exists.

The thing about the code you’re imagining is that it’s vast, it’s the product of tens of thousands of hands and decades of work in the case of something huge like an OS. Complexity and obscurity make it almost impossible to perfect, and as long as there’s a huge intrinsic reward to finding cracks in that edifice, hackers will exist. Sometimes it’s down to finding an existing flaw, like discovering the ability to inject code by forcing an error state. Sometimes it comes down to essentially *creating* a flaw that was never considered, like [Van Eck Phreaking](https://en.wikipedia.org/wiki/Van_Eck_phreaking)