If you can't figure out how to 'not trust user input' then you can't exactly say that *I* don't know what I'm talking about. I've done 3 government audits for security across 3 different systems with no vulnerabilities in any of my stuff - it's not rocket science. Software security is largely easy, excluding some very nasty stuff (VM host security for instance) and usually boils down to "don't trust any input from outside the system".
If you look at the vulnerabilities for this software for instance, it's literally that they take parameters from a GET query string and render that HTML out directly to the person's page. How hard is it to apply a common sense HTML filter for all your incoming POST and query string information (hint: it's not hard at all...)? Then you have the infamous "goto fail" vulnerability from IOS being another example of stupid code errors. Or your other buffer overrun scenarios that were nightmares (and still occasionally crop up) back in the early 2000's and 90's. These are all simple to avoid problems...check your damn input, don't trust it, don't ever assume a person won't put it in manually themselves.
Once you've made that first step in pulling head out from ass, the rest becomes usually a simple matter of locking shit down and more traditional security controls like password rotations and patching.
In fact the only part of security that I find "hard" or at least "expensive" is IPS, physical security and dealing with DOS attacks...none of which apply to 99.99% of software...and none of that is particularly hard for the .01% that need it because they can typically afford it.
Edited 4 time(s). Last edit at 03/26/2014 10:44AM by Death_Claw.