The ideal situation would be if everybody were super-conscious about security, had knowledge about the latest threats discovered and knew how to avoid at least more popular security pitfalls. But the reality doesn't seem to look this way. In reality one can be happy if architects and developers are generally aware of such thing as security and bare in mind that they need to consult it in course of a design and development process.

There's a very simple cause to that — range of security issues out there is extremely wide and to be effective one has to go to very details and at the same time not loose any class of possible issues from sight. You simply can't expect this level of expertise and awareness from someone whose main goal and responsibility is to design functional solutions or develop a good code and deliver remarkable applications.

That's exactly why projects should be consulted with security people before anybody writes a single line of code. And that's also why written code should be security-assessed during a development process. To point people busy in providing functionality to places where they missed something vital from the security perspective.

It enables the business to decide how important the flaw is and if they wish to pay for it being fixed or are rather willing to accept the risk. Which in turn leads us straight to a profit. Well, at least to preventing losses, but still.