[ploxiln]

Companies in general do not really care. I've been on the inside, the infrastructure guy who knows what's actually being done to implement proper security and who's responsible for a lot of it. Companies care much more about the next set of features, the next release, the next big deal that will change everything, the sales goals for this quarter. They may even care about "usability", the latest site re-design, "user stories".

Security is always the very last thing they care about, until there's a huge very costly breach. Then they care for 2 months, and I get to actually work on the security stuff, and get other developers to cooperate, and clean up the known messes left all over in the typical mad dash of feature addition and replacement. Then it's all forgotten about again.

They should say "we suck, we focused 100% on features and market share, we know now what's important", and they should get security right. It does kinda suck that the market often rewards companies that prioritize all else above security, and I wish such companies all the damage a breach can cause. Otherwise, there's no reason to not suck at security.

They should just be honest: "This is what happens when you make a product people love. It's insecure and data is lost and service is interrupted. But you all love it so thanks :)". People should not be under the illusion that their favored products and services are secure. They should know they love insecure shit.