Useful article succinctly presented.

"Make it work" superceding "make it secure" is a tricky issue, more a human one than technical.

A boss walked up to a programmer, chitchatting, asking about his work. The programmer told that he just finished converting a bunch of CGI scripts into ASPs (after many many hours). The tone and the body language of the boss was basically, "Right... so what have you done lately?"

Except for banks or governments like that, many end usrs don't spend attention to security (intangible thing, until disasters strike). And it's hard for a client without technical background to ask for and pay attention to something he's not aware of, such as security.

We once got quite a bit of positive feedbacks from the users by enabling them to post their pictures on the Web (which was an easy job). As for encryption on the URL (a more difficult task), we got dead silence.

I guess consumers are more willing to pay for sophisticated look than sophisticated code, and to pay for whatever impress them the first moment. Seems like a business strategy of MS, that many programmers complain about, that it hides badly tangled code behind fancy UIs and wizards.

Rumors had it, Xerox had a dilemma whether to make its copiers more durable since it had lucrative business by fixing its broken copiers.

Except to avoid lawsuit, not everyone feels security a good business investment. A bank might feel it'd rather get robbed now and then for several thousand dollars a year than hire security for tens of thousands of dollars a year. Business executives only have to make sure their business make money during their tenure (like 3 - 5 years); it may not make sense for them to think long run.