Three scenarios: (a) fix design flaw to make system secure, (b) address new vulnerabilities that are unknown before, or (c) comply with newly established regulations.
There is no crystal ball to foresee (b) or (c) but for (a), this can be avoided if good practices are exercised during development stage.