Something I often find during my security audits: vulnerable code, such as SQLi, which is accidently protected by other code. 🙃
It's always frustrating to go from finding SQLi and doing a Dr Evil impression 😈 to realising it's unexploitable due to some random validator... 😭