The biggest problems that I have with reported vulnerabilities, is that so many of them are found with automated tools. Sure, that fuzzer or tool to try XSS or SQL injection attacks is going to allow you to pick up some "cool boy security hacker points." Hooray. So they get fixed and the reported vulnerability count falls to 0. Meanwhile, the world's easiest exploit can be found by looking at the JavaScript in the HTML source, or maybe looking at the source code for the app, or whatever. My favorite example: last summer, I needed to change a hotel reservation on Hyatt's Web site. It let me use either my confirmation number (which I did not have handy) or my credit card number (which I *did* have handy). I returned to the page later on and noticed that IE was able to autosave my CC number, which it never does for pages that post via SSL/HTTPS. In other words, it was posting my CC number over an unencrypted HTTP stream... BAD! I just happened to notice this (it has since been corrected). No automated tool in the world will catch this, but any cracker will see it in a second. So the automated tool reports 0 errors, a false sense of security. Many of the truly nasty security holes out there will never make it to "reported vulnerabilities list" simply because those lists are constructed nearly entirely with automated script kiddie type tools. Yes, it is important to find and close those holes... but a solid code review by a top coder is still the best way to find the really ugly problems!
J.Ja
) With every-one looking to a magic technical security solution, it's useually some idiot that just comes through the door that breaks the whole system down. -d (A pet peeve of mine, I know. Sorry 
) 
