Yes. There are no vulnerabilities in the code. There are only features.
Vulnerability is a discrepancy between what the code does and what the code is expected to do. It is a specific discrepancy, one that allows you to own the system, but that’s it. So, if you have no expectation of how the code should behave than – by definition – it has no vulnerabilities.
Interestingly, the majority of code is sold exactly ‘as is’, i.e. with no claim for correctness, fitness for purpose or reliability. The manufacturer, in plain legal English, tells you that you should have no expectation if and how it works. Apparently this code has no vulnerabilities at all because we should have no expectations. However, it may have features that we may not desire. And of which we do not know. That’s it. Now it is our job to find them.
Back to the main threat. If you take the code ‘as is’, then it has no vulnerabilities, only features. If you understand that the code has to satisfy several conflicting ‘has to do’ needs, you will not be surprised that it is full of features that you can call vulnerabilities.
What conflicting interests? The code is made to the specification and supposed to deliver what is says on the tin. Right?
Wrong. Code writing is a social process. For some the only purpose of the code is to put bread on the table. For others the only purpose of the same code is to show that they are superior to their peers. For others it is an insurance against being fired. Others can see the same code as an avenue to a hefty bonus. I can keep writing this list, but I guess you have an idea.
Each one of those participants will force features that they value. Some will prefer the code that is easy to write. Other will prefer the code that is obscure. Some will install backdoors. Others will value flashy screens with no content.
Some of those features will become what you call vulnerabilities. If your business is in finding and exploiting them, then those features will put food on your table. That’s good. Those people work for you, in a way. If your business is in preventing vulnerabilities from occurring, you’d better find yourself another job.