All security problems are to some degree people problems. Code may be buggy, but it was written by people who could have been better trained, had more time to spend on code review, etc. When there are multiple programs, OSs, libraries, etc to choose from then choosing a suitable combination of software is a matter of the skill and background knowledge of the people involved.
There are issues of software choice where there is no provable benefit of making one particular choice, EG choosing between a popular product that is OK and for which it is easy to hire skilled people to use it and a less popular product that has better security features but less public knowledge. But this is minor compared to other security problem.
I believe that the greatest security problem is stupid people. Stupid people in technical positions write buggy code and configure servers to be insecure. In consulting and analysis roles they develop bad procedures. In management they hire bad people to do technical work.
The vast majority of security problems can be fairly directly and immediately traced back to stupidity. In the corporate environment that is stupid programmers, stupid managers who hire people who are obviously stupid, and often stupid executives for mandating that software that everyone knows to be insecure should be used across the entire enterprise. In both the home and corporate environments there are a huge number of people who run machines that they know to be compromised. Apparently using a computer that is known to be under the control of an unknown hostile person is something that they don’t consider to be a problem – in spite of the obvious risks of fraud, data destruction, and risk of being implicated in crimes such as the distribution of child porn.