There are several reasons why an automated product will fail to thoroughly audit every possible component of your web server. Code reviews actually may be very fast for experienced coders, but this depends on many variables. For example, how experienced is the coder? How well does the reviewer understand the web application? How well does the reviewer understand the constructs of the programming language used for the application? How complex is the application? What external interfaces exist, and how well does the reviewer understand these external interfaces? If you live and play in this world, then code reviews may be easy for you. If you live and play in many worlds, then you may want to consider augmenting your searches with automated tools.
Automated tools can be quite harmful to production environments. Exercise care, and design the test in a manner that will not affect production systems.
Automated tools can be quite helpful and guide you toward parts of your web platform or web application that might need further review. A strong case could be made that new applications should be tested with good code reviews and tools such as those listed below. This list only scratches the surface of what's out there. Many general vulnerability scanners also test commonly exploited vulnerabilities for web platforms. There are many web testing tools available. Here is a small list of web tools:
Web Sleuth: http://www.sandsprite.com/Sleuth
Paros Proxy: http://www.parosproxy.org
Web Inspect: http://www.spidynamics.com/products/webinspect
XSS NASL plugin for Nessus: http://www.cirt.net/code/nessus.shtml