Web applications are one of the most targeted systems as they are directly exposed to internet. There is no web server without serious vulnerabilities, it is enough that you open exploit DB where you will find how it is simple to exploit vulnerable CMS or web applications.
Hackers are often searching and having those bugs where there is no correct code that may leak some very sensitive information, by the end developers are people and they often conduct some incautious mistakes. Developers mostly looking to have more functionality to increase usability and as you add that functionality you need to add more code which may lead to more vulnerabilities.
That’s why you need to conduct penetration testing on periodic bases to detect those bugs. During a pentest you can try Watcher. Watcher is an open source tool that can be a good addition to your penetration testing toolkit. it will passively scan the web applications searching for some serious vulnerabilities in the user input fields.