Conflict Theory Does the defence of a country or a system depend on the least effort, on the best effort, or on the sum of efforts?
The last is optimal; the first is really awful
Software is a mix: it depends on the worst effort of the least careful programmer, the best effort of the security architect, and the sum of efforts of the testers
Moral: hire fewer better programmers, more testers, top architects
The case for better programmers and top architects has been made. With regard to testers, this is perhaps less well understood, and it really amounts to the combination of test effectiveness and risk. Static analysis tools make for an highly effective tests on a high risk area (software security). So many security tools do not scale, static analysis does.