A lot of security issues still are prevalent are due to bad software applications with bugs in them.
The software applications need to be audited for bugs with a fine toothed comb. Most of the issues are still existing because a lot of IT folks are scared of doing the real work of opening the hood and fixing the system from the inside.
Mostly because they do not have the skills or the jazba to actually do it.
They prefer to make a lot of security reports without looking at the details of the source code.
Checking and verifying configurations is useless if the software which is being configured is defective at the implementation level.
APPLICATION SECURITY KNOWLEDGE BASE
Securing Third-Party and Open Source Code Components: A Primer
13 tools for checking the security risk of open-source dependencies
Source Code Review, Identify and Fix the security vulnerabilit issues in your application
Managing Third-Party Code Security and Quality with Binary Analysis
10 Types of Application Security Testing Tools: When and How to Use Them
Source code analysis. The root cause.
An approach for understanding and testing third party software components