Bruce Schneier has written an excellent essay on the problem of insecure software.
The problem is that it is actually in a company’s best interest to write insecure software because it is easier and therefore cheaper and they do not suffer the costs of security failure. In fact, the market rewards insecure software as people like timely releases and lots of features, both of which decrease the time spent on making software secure.
The only way to counter this is to make it profitable for all companies to produce secure software. This could be done simply by passing on some of the costs of security failure to the software vendor by making them liable.
This also applies to other areas of security, notably bank and identity fraud. Its not in the bank’s interest to protect you much from such actions as the costs fall upon you. The banks are even making more of the liability fall upon the customer through initiatives like Chip ‘n’ Pin (if you have a fraudulent Chip ‘n’ Pin transaction it is taken to be your fault because the PIN is meant to be a secret and you cannot easily prove it wasn’t you as you can with a signature).
