Geekonomics
is the name of the book. I can't remember the author,it was 2008. It was about the costs of insecure software.
But my argument is that there is a difference between not meeting requirements, and bugs.
Bugs is things like buffer overflows, where stuff goes into places that it shouldn't and causes havoc.
Requirements - my best remembered one is the American software for accepting dates that would accept any two digits into the day/month/year __/__/__ fields. A proper requirement would have specified that 01-31 were valid values for day, depending on values chosen for month, etc. I always check a date prompt now to see if it will accept 99/99/99.
When I am teaching about test specifications, the law is that it must not only do what it is supposed to do, but must not do what it is not supposed to.
Regards,
