[thrashh]

I think it has failed because the industry is moving way faster than most people can keep up.

Even your average developer isn’t going to be aware of security changes in the industry to know what’s important or not. It’s going to be even less likely they someone not in engineering to remotely know what’s important or not.

Security professionals know but do you seek out a cardiologist first before you ask your GP? Probably not because, being not at all trained, you have no clue about anything. And if your GP doesn’t know, you are kind of on your own.

[photon12]

"People" don't need to keep up, the internal controls team needs to keep up, and it's possible to staff such a team with people who know how to mitigate phishing attacks when you are one of the largest corporate targets of phishing by volume on the earth.

[thrashh]

They do because they are the ones hiring.

If you’re trying to decide between electricians but you know nothing about electrical jobs, you’re going to be unable to make any meaningful decision. You’re just going to pick the one that sounds the best.

Heck, you could be using the same mediocre electrician for years and even recommend it to friends because you still have no clue about the workmanship.