I believe a bug would still cause them to be in violation, but it likely means there would not be any punishment for being in violation. GDPR has a lot of leeway for companies that are making an effort to be in compliance, but have failed for one reason or another. In this case, I would assume the punishment for the bug would just be "fix the bug".