"Rule #1 of bug bounties: No matter how much money you're offering, assume that someone evil found the bug first and didn't report it" - Colin Percival of tarsnap
This! This is why locating and fixing possibly exploitable bugs is so important and why bug bounties help.
If a black hat finds an exploit then they will make money. So there is a direct monetary reward for black hats finding vulnerabilities. Bugs = $.
If a developer ships software then they will make money. There is no money in creating perfect vaporware, only in completed software.
Shipped software = $.
Shipped software has bugs. Therefore your developers will be just as likely to innocently introduce bugs as prevent exploits. Not a good line of defense.
A fixed set of QA engineers will only ever find the bugs that they find. And they are on salary.
Time = $.
They will not find the bugs that are outside of the processes and skills of that fixed team.
So at this point, only one of our three groups have a direct financial reward for finding exploitable bugs in shipped software... and they won't be telling you about it. They have had a reason to be pounding on your software to the very best of their abilities and a reason to succeed. Their livelihood is dependent on being the first to that bug. So they probably were. How many 0 days were exposed by Stuxnet? Hacking Team?
Those that benefit most could have spent the most resources on finding the bugs. So you have to assume that they already did.