Is it plausible that a fully automated tool could have discovered this?
These are tools that require little knowledge of the domain, e.g. automatic static analysis, compiler warnings, fuzzers.
Examples for true answers: SQL injection, XSS, buffer overflow
Examples for false: RFC violations, permissions issues, anything that requires the tool to be "aware" of the project's domain-specific requirements.
The Vulnerability History Project