The security of a program isn't always about sanitized validated inputs and dropping invalid data. A program can only be as secure as the environment in which it resides: hard and software. Millions of lines of less than secure code notwithstanding the further consideration of what code interacts muddies the situation significantly. http://www.ntguard.com/article.cfm/id/341504
further underscores that as we add complexity, we risk adding vulnerability.
Coders are under time,financial, and interoperability constraints that inject inevitable flaws into their end product. Good practice and QC become limited by client needs, production schedules, and limitations of manpower. Manufacturers mitigate these needs as reasonably as they can within these limitations. Flawed code doesn't seem to be going away.
Social engineering is never going to go away because we're flawed creatures. we want to be helpful, useful, liked, and appreciated. We'd have to take the human element out.
AV technologies will continue to struggle to keep up with the virii available if only for the percieved protection they provide. Per the refernces in the link above, I dare say AV technologies might have become near self-perpetuating.
I wouldn't attribute the lack of new tools and techniques to a lack of them existing, rather a lull in publishing. People can only explore so much before repeating research. This career has been punctuated by bursts of frenzied discoveries based on other research. We are just as likely to be experiencing the calm before the storm.