A backdoor isn’t so much as a security flaw, as it is an act of criminal intent, or criminal negligence. As for security flaws, the simple answer is, “Programmers are not always thorough”. Most security flaws are the result of developers ignoring well-documented best-practices. It’s the very rare flaw which is discovered in compliant, peer-reviewed code.

Before you come away with the impression that I’m just shitting on programmers, the usual reason this happens is not because developers are lazy, but rather that most shops do not devote enough time and resources to security. The industry average is ~10%, and it’s been climbing year over year, but in my opinion, even 10% is woefully inadequate. In my opinion, fully half of your team’s time and resources should be devoted to ensuring your code is secure, because an insecure feature is worse than useless.