Yes, but these smart contracts are often fairly short (in essence, they shift value from one ledger entry to another), and not every bug is exploitable. They are also effectively paying a bounty worth hundreds of millions of dollars if you can find an exploit. It is not unreasonable to feel increasingly confident in their safety after some time.