Not only software can have bugs
From the viewpoint of ICT products, this is usually a bug in the program code itself that arose either during development or during updates. We can encounter them almost everywhere. Program developers try to make sure not to introduce bugs unintentionally during development, but no product is so perfect that it doesn’t need updates during its lifetime.
However, vulnerabilities do not have to be just software bugs. They can involve misconfigurations such as default settings, old or weak passwords, open ports, unauthorized or unexpected installations of software, services, systems, unknown devices in the network, deviations or non-compliance with internal regulations, etc.
There are over a trillion malware patterns and they keep coming. There are now about 170,000 known vulnerabilities, but the vulnerabilities most commonly used in exploits of specific malware are only about 800. By finding and removing a few vulnerabilities in the network, we can cover a huge number of potential risks from malware attacks.