One does not preclude the other. For instance, the current Signal implementation is almost certainly prone to remote code execution.

How does the Signal project handle reports of potential vulnerabilities? I haven't seen any security contact information on the OpenWhisperSystems site.