Most of the security flaws in computer programs come from developers using unsafe programming languages where it’s very easy to make a mistake working with the computer memory.

There are safe languages, but they’re very resource-hungry, as in they consume a lot of RAM and the processing power. So, either safe but inefficient, or unsafe and fast.

Programming languages are evolving though and getting better at being both safe and efficient, but adoption of new languages is slow. Microsoft, for example, has been working on Windows for at least 25 years, and migrating to a new programming language with such huge product is very expensive.

The rest of security flaws are design errors, as another comment already stated.

Another angle to this is, software developers are usually not security engineers. They are not thinking like security engineers. And designing good security mechanisms makes their work very painful. So usually they create a product and then fix security flaws when the users find them, by which point it’s a little too late, but better than never.