That is an awesome question. Now that I'm thinking about it, how do some of those vulns get discovered?

I subscribe to several mailing lists, and generally have 5-10 vuln e-mails per day, often with exploit descriptions for that particular vulnerability. Some of them are so specific in thier implimentation, that it'd be near impossible to discover the exploit or the vuln randomly.

Wow, I can' believe that I haven't thought too much about this before! I was assuming that the freakin computer fairy just had me in his/her address book, and was e-mailing me the vulnerabilities.