My phrase at a previous company was that "not every bug is a vulnerability, but every vulnerability is a bug". In that context our goal as a security team was to drive the total bug count to zero, both by helping to design systems which could be kept bug free and by aggressively hunting the kinds of bugs we really cared about. In my opinion, that was a great way to do business-- with the caveat that you can't be the only team committed to having zero bugs.