Security often ends up being one of the last things on a developer’s mind, and one of the first things to get cut out of a project plan when time gets tight. This is because there are no direct business benefits from being secure. Don’t get me wrong—if something goes wrong, there can be major consequences (especially if you are in an industry in which fines are de rigeur for security breaches). But until something goes wrong, somebody finds out about it, and your company is held liable for poor security practices, it’s a cost and not a profit-earning segment of the product.
This is why I’m glad there are people like Troy out there explaining exactly what the problem is and how to fix it. It may take a while for those companies to listen (though to EE’s credit, it sounds like there are people in there who know better and want to make changes), but what that says to us as security-minded professionals is that we need to sell security better. We need to be able to show ROI on implementing secure practices. Unless we can do that, the default will remain insecurity.