LLMs find more vulnerabilities than people because people time is heaps more expensive than LLM time, that’s it.
We’ve always been able to find heaps, we’ve just never had the right structures to put in the effort and renumerate people for looking (even if they don’t find anything).
Looking for bugs is boring. LLMs don't get bored the same way humans do. Thus even if you had infinite budget you should expect a LLM to be better.