There are three major causes: code quality, complexity, and trusted data inputs.
Article Link: https://www.darkreading.com/partner-perspectives/f5/where-do-security-vulnerabilities-come-from/a/d-id/1329951?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple