A recent survey by SailPoint found that over half of enterprises have been hacked in the last 12 months, and of those that had been hacked, they had been hacked 29 times. Unless you are a known, high-value target, most attacks against you will be automated attacks that look for well-known exploits that black hat security researchers find and sell – and even if you are a well-known or high-value target many attackers still try to use commonly known exploits. In general security researchers focus their time on well-known software applications to maximize the value of their findings. If someone were trying to break into your house and they had purchased all of the known exploits for home alarm systems, it would be much easier for them to break into your home if you use one of the well-known systems that have a known exploit, than if they had to try to discover an exploit for a custom system that you had built. This allows for the notion of security through obscurity, the idea that when the details are not known, there is an inherent security when a hacker does not have access to the full details of your system.
Even top software providers do not always exercise good security hygiene. While this is a double-edged sword in that building an application brings the challenge of implementing a good security framework, the decision is now in your hands to prioritize new features versus security risks. The ability to control this process grows in importance the more sensitive the information that you are dealing with - especially if there is not an industry-standard solution that does not have a security-focus available on the open market. If you need to maintain absolute control over the security of your system, you should seriously perform a careful cost-benefit analysis of implementing a custom application from the perspective of security.