Cybersecurity vulnerabilities are broadly categorized into 2 types:
[a] Inherent weakness in the component, protocol (e.g. PLC, ftp) that is insecure by design
[b] Improper deployment causes a secure component (e.g. FIPS-140-2 Level-4 certified crypto module) into insecure due to lack the required surrounding elements (likely broken business process or human negligence)
Type [a] can be overcome at time of procurement to specify requirement.
Type [b] can be identified via vulnerability assessment of the deployed solution in people, process and technology perspectives