The Trustworthy Computing Security Development Lifecycle (SDL) factors in this recent article (Report: Microsoft beats Oracle on security) about a white paper (Which database is more secure? Oracle vs. Microsoft [PDF]) written by David Litchfield of NGS Software that takes Oracle to task on their security posture.
The flaw count for SQL Server has been very low since 2002, Litchfield said, because Microsoft uses a security development lifecycle (SDL) where, as he put it, "knowledge learnt after finding and fixing screw ups is not lost. Instead, it is ploughed back into the cycle." From what he can tell, Oracle doesn't have a SDL of its own, since it is "making the same basic mistakes" and some of its fixes "indicate that they don't understand the problems they're trying to fix."
The SDL introduces a number of processes for reducing the occurrence of security bugs in software, such as having a team independent of the development team review their code. Team System includes static code analysis tools, which also assist in the effort to stamp out security bugs before releasing software.
For more information, you should read The Security Development Lifecycle by Michael Howard and Steve Lipner.