Side channels are prevented through security audits. There is not an infinite well of bugs in any codebase that will always be exploitable.

Once you patch the bugs, they are patched. You eventually reach a state where there is no more surface area for bugs.

I'm sorry, that's not aligned with reality. Possible states in a system grow exponentially with lines of codes added and no one can expect or prevent all the failure states leading to security issues

I feel like you've never worked at a company that has decades of tech debt and has more than just a handful of devs.