[PeterisP]

Can you elaborate on what exactly do you mean by " software should be expected to provide some basic level of protection." ?

In some sense security is binary - if your software happens to have even a single mistake that results in RCE or authentication failure, then it's totally exploitable and does not provide any level of protection whatsoever. And as experience shows, we seem unable to write any software without such mistakes, even if we try really, really hard by skilled people with security in mind, as far as I recall every popular piece of software that needed to be secure has had vulnerabilities.

[closeparen]

You don’t have to perfectly secure in order to raise the bar past your adversary’s level of sophistication. But you do have to stop doing the same stupid shit that’s in easy reach of anyone who can program.

[joe_the_user]

Once a complicated exploit is known, it can be added the arsenal of any script kiddie.

This isn't saying you're wrong that quality can raise the bar. It's saying that time and context also lower the bar. Especially, not being subject to "that’s in easy reach of anyone who can program" not guarantee by any purely default action - notably not guaranteed by spending X dollars.

[AshWolfy]

Not every vulnerability will be exploited, most hacks use very simple exploits if at all. 80 percent of security can be achieved with 20 percent of the work