I think we can all agree that it's both a very difficult and a very large task to maintain an application with 500 million active users, let alone continue innovation and expansion.
Testing can only ever go so far - bugs and vulnerabilities exist everywhere, even in Facebook.
With the resources they have access to, I'd say there's no real excuse - unless it's not a priority - which could very well be. Privacy only became a priority (which coincides with security) when Facebook started to regularly change people's privacy settings on them.
Testing can only ever go so far - bugs and vulnerabilities exist everywhere, even in Facebook.