This has been my point for the past year or so:

"Today, software engineers are not required to understand and assess security risks in their products' architecture and design. Security has not been a part of the quality assurance process. To get a degree in architecture for designing and constructing buildings, a professional would be required to understand physical risks and how to reduce those risks -- that is, fire safety, earthquake issues and so forth. "

The rest of the article didn't do much for me: Technology News: The State of Software Security: An Interview with ISS Founder and CTO Chris Klaus