[rocket357]

I agree with your last bullet point, jggimi.

50% of all of the "vulnerabilities" Microsoft ran across during the big code audit in 2002 (that eventually became Windows Vista), were "design" issues and not "implementation" issues. Design issues are considerably more intensive to fix than simple implementation errors (such as strcpy vs strlcpy or the like) and as such design issues are *more likely* to be neglected because the cost of fixing them is greater.

It's the same concept as "You cannot fix a bad algorithm by throwing more hardware at it":

"You cannot fix security by throwing individual programs at it."