[tptacek]

This is I think exactly correct.

It's always funny to see people suggest that security companies should somehow be better at secure code than other companies, as if narrowing the set intersection of possible programmers from "capable programmers" to "capable programmers who can quickly write lots of different file format parsers" somehow makes it easier to find "programmers with an intuitive knack for secure programming".

No. The more specialized your application domain, the harder it usually gets to source programmers who are also incredibly diligent.

Security companies as a general rule have poorer code quality than other companies.

[xorcist]

That's one way to see it. I usually don't think about security in terms of individual programmers' capabilities but more what the company behind them wants to accomplish. Security should be a process. Compare the code coming out of Microsoft in 2000 with 2010 -- still not great perhaps, but what a difference a change in objective can make.

Antivirus programmers are paid to add new parsers. Not to assess the security implications of the software. The result is predictable. Sourcing competent programmers would make zero difference as long as they have no incentives to change their process.