How many of these fixes were to holes spotted by reviewing the source code and how many by sad experience?

I have to wonder if the entire modern approach to design and construction of programs is fundamentally flawed. TCP/IP stack implementations seem to be pretty much bug-free; is that because of the carefully layered abstraction of the stack scheme? Is a similar approach possible with application programs?