The holes are already found, and information on them is for sale on line. The test for such things are done by throwing possible exploits at a system and seeing what gets in. This penetration testing can be done with any system on the network, and is also done by manufacturers before releasing the system.

but, there are always unexpected things.

You are right about physical and remote security. When I was designing secure facilities, a great deal of effort was spent on physical security. If the bad guys can get to the equipment, then no system is secure.

For remote access, Linux is probably the most secure, because the bad guys attack it first, as that is what the least trusting use. For these people, paranoia is a virtue.

They pass around fix's to problems, or get problems passed from others, and a very large network of people are constantly fixing things. If Microsoft or Apple were open, they would probably have the same kinds of security communities built up around them. Black hat and the other gathering of that kind are contests to see who can break what others have tried to render unbreakable. Then, they talk about how it was done, and try to make it harder to do anything like that again.

That is part of the reason why security is a constantly shifting target. What was secure five years ago is now almost worthless as protection. What works now, is just a game to beat to these people. They are never going away.