That's a nice way to put the fallacy. That one is so common it needs its own name and Wikipedia page with list of hacked products that used the fallacy. Anyone already do that with a link?
On my end, I always tell them any system or scheme is to be assumed vulnerable until proven otherwise through analysis and pentesting. If they doubt that, I show them plenty of stuff made by pro's and associated CVE's. Then ask if their people were better and with more budget for security. Usually a no...
I've written my fair share of vulnerable code throughout the years. Two key indicators for me: Do they learn from their mistakes? Are they proactive at preventing mistakes?
On my end, I always tell them any system or scheme is to be assumed vulnerable until proven otherwise through analysis and pentesting. If they doubt that, I show them plenty of stuff made by pro's and associated CVE's. Then ask if their people were better and with more budget for security. Usually a no...