He’s on the right track, but he’s made a dangerous mistake. It’s the software manufacturers that should be held liable, not the individual programmers. Getting this one right will result in more-secure software for everyone; getting it wrong will simply result in a lot of messy lawsuits.
To understand the difference, it’s necessary to understand the basic economic incentives of companies, and how businesses are affected by liabilities. In a capitalist society, businesses are profit-making ventures, and they make decisions based on both short- and long-term profitability. They try to balance the costs of more-secure software — extra developers, fewer features, longer time to market — against the costs of insecure software: expense to patch, occasional bad press, potential loss of sales. The result is what you see all around you: lousy software. Companies find that it’s cheaper to weather the occasional press storm, spend money on PR campaigns touting good security, and fix public problems after the fact than to design security right from the beginning.
The problem with this analysis is that most of the costs of insecure software fall on the users. In economics, this is known as an externality: an effect of a decision not borne by the decision maker.
