[michaellosee]

Some thoughts. In my experience, the lack of vulnerable code in a secure application is not the product of savvy developers who never make mistakes. A hardened web app usually gets that way because someone took the time to find and fix some of the exploitable vulnerabilities that could be found. Unfortunately, that usually doesn't happen until they get hacked pretty hard and come to see the business value of investing in the people, process, and tools required to create a robust security program which is augmented by quarterly $10,000 PenTests.