DVWA Impossible levels...

I’m actually wondering if DVWA impossible levels are actually impossible, how some high secured sites are still vulnerable to some attack vectors like XSS or sqli. All they have to do is just implement the source code of the impossible level to their code. But what am I actually misunderstanding here. Can you guys show me ??