The bottom line is that against the team of e.g. 10 testers that the company can put on a product economically, because we are “too stingy” to pay more for the software, there are quickly 100 or more “evil” testers (the black-hat hackers and the hacking service providers to security services, who look for flaws they can exploit – and don’t report that flaw to the software creator)
Testing continues, and most bugs are also found and fixed (or even never found, but prevented by good code standards) before a piece of software is released. A large part of the remaining bugs will probably (because no exploits seen by the security companies) be found and fixed (in a new release) without being able to be exploited by later tests of the company or security researchers.
A small part is still overlooked there and arguably the first to be found by black-hat hackers. That small part is the ‘zero-day’ vulnerabilities: security vulnerabilities that have only become known because people (usually security/antivirus companies) have discovered abuse of the vulnerability by hackers.
And 100% safe is just a piece of software that has no input whatsoever… and that is of no use to you at all.
The knowledge is certainly used, but since we do not want to pay an expensive premium for the new version of software (and a new version every year, because last year’s is sooo 2020, and that of 2019 is really a dinosaur) can’t afford to run a company on a comparable amount of tests/testers as the combined strength of the bad guys (who also don’t sit still and keep coming up with new and better tools to try and find a logic flaw and then exploit to make a program not just behave strangely, but completely new behavior desired by the hacker.