I don't work with software security and have discovered absolutely no new security flaws. I have, however, experienced many and created some in the long career you refer to.
Still, none of the security problems I wrote into my code could be blamed on highly adversarial conditions - all of them were plain bugs, places I forgot to do something or when I trusted something one should never trust.
The fact you never met a QA team that could uncover security problems possibly stem from them not looking into the code itself and never having the responsibility of finding such problems. Validating compliance, correctness of observed behavior and even user overall experience is also called quality assurance, but it is, by no means, defining of the whole software quality concept.
As long as we're clear that by "them", I mean "a broad cross section of the whole industry, from embedded infrastructure code to 'web 2.0'", and you mean "the fictitious QA team that works the way I say QA teams do", then I think we agree.
Because I'm telling you that you're wrong about the relationship between QA and security in the real world.
Still, none of the security problems I wrote into my code could be blamed on highly adversarial conditions - all of them were plain bugs, places I forgot to do something or when I trusted something one should never trust.
The fact you never met a QA team that could uncover security problems possibly stem from them not looking into the code itself and never having the responsibility of finding such problems. Validating compliance, correctness of observed behavior and even user overall experience is also called quality assurance, but it is, by no means, defining of the whole software quality concept.