[atleta]

4) Security testing becomes a norm and there will be easy to use tools/services. Regulation doesn't help here. Everyone makes mistakes, the better developers just make less.

There is no reason not to have these tools if you have so many easy to use ones available for intrusion.

I happen to have known a local startup that was working on such a service: intrusion/security testing SaaS. Their model was something like giving a simple dashboard/report that the management could easily understand and act on if needed. They also thought about having a badge that the verified sites could display, as a proof towards their users that they are secure. Unfortunately they, and their VC, screwed it up big time.