Security vulnerabilities tend to be program behaviors that are not desired or anticipated by the users of the program. This means that in many cases either the vulnerability is due to an error or oversight on the part of the developer, or that a malicious developer intentionally introduced code to cause the behavior. Every service that is deployed is potentially vulnerable in ways that may not have been discovered yet.
Many services have multiple open source implementations available and even more closed source options. Often, these independent implementations represent distinct groups of developers creating a service based on protocol or interface specifications. Because of this diversity, an administrator often has a choice of implementations when choosing to provide a service. Choosing a particular version of a particular piece of software and regularly reviewing and updating that choice is a standard aspect of security practice. This ongoing choice is driven in part by the regular discovery of new vulnerabilities which usually affect certain versions of certain software packages. Using a different version of the software or a different software package is thus one way to remove a vulnerability after it has become known.