Tim Bray opines thusly on the state of web security
Of course some of these get into very sensitive security issues; but actually we’re getting pretty good at providing information on the Web in a secure way.
I have a more pessimistic view than Tim. 226 million and counting identity records breached says we are not so good at this stuff. I see evidence of good ideas coming in web security, the vast majority of which emanate from OWASP, but I don't see this being baked into mainstream web app developments and frameworks. This creates a bad situation that Brian Snow characterizes this way:
We will be in a truly dangerous stance: we will think we are secure (and act accordingly) when in fact we are not secure.
I think the problem is that developers think because they have come up with some minor security modifications they assume that is all that is necessary. Here is the thing - attackers evolve too. And the attacks are coming way faster than the security mechanisms. Its fair to say that the developers when they even get around to taking security semi-seriously are outgunned.
Developers focus on all the hard things to get somthing to work, but not the failure modes, and this is what attackers exlpoit. To wit: Web 2.0 Attacker Meme Map
The reality is that Web 2.0 functionality "secured" by a Web 1.0 security model against a 3.0 attacker is like smashing a rock on an egg.