Here's an attempt to succintly describe why achieving security is difficult:

The engineer wants to implement a program P that allows users to perform action A.
The hacker looks at program P and wonders how can he use it to perform actions other than A.
The security guy wants to implement a program P that allows users to perform action A and only action A.

Some observations based on this description:

 - defining A precisely is harder than it may sound
 - it can be non-trivial to implement P so that it performs A
 - if P fails to accomplish A, it will likely accomplish something else than A
 - there is a cascading effect that increases the probability of not being able to achieve the security guy's goal