Kappy,
...Given the tens of thousands of lines of programming in an operating system,...
Think "Millions" of lines of code
Croshaven,
The iPhone has become a popular device for security researchers, and as time goes on, more and more iPhone specific security tools are becoming available for those security researchers to use, which means they can find more problems.
In some cases the security researchers report the flaw to Apple, and then keep quiet about it until after Apple does a regular point operating system update, so you get regular bug fixes, new features, and security fixes. Sometimes the flaw is so severe the update is immediate. And sometimes the security researchers DO NOT keep it to themselves, but rather go for the attention and release the knowledge to the press, and let Apple catch up. These are more likely to cause out-of-cycle updates.
The causes are bugs, or an unexpected path in the code that is working as designed, which the developers did not realize could be used that way. Bugs are much easier to deal with than path flaws, which may affect the design, which may affect the user interface, which may affect the user experience (some working feature had to be taken away because of the security implications).