Are static code analysis tools the best way to identify potential security vulnerabilities? What are the drawbacks of using this type of tool?