I just read an interesting article claiming "Security is poor because vendors are not held responsible". It basically says that organisations don't feel any need to address security related issues because they are not be held accountable to do so (especially financially).

<SOAPBOX step="up">
It is my opinion that this is something that affects the whole of IT industry. IT professionals are not accountable for what they do, not to the same level as professionals in Medicine or Law for example. Huge IT companies can still get away with releasing software that doesn't work. If we in IT are to gain any credibility as a profession, we must start taking responsibility for our work.
<SOAPBOX step="down">

You can read the full article here.