I promise this will never get better until fines get handed out left and right for breaches of ANY personal information. Right now, no one really gets penalized for breaches unless it involves regulated data (financial, healthcare, etc...).
Why? Money, obviously.
1. employing security engineers who know what they are doing is EXPENSIVE.
2. third party pentests are expensive.
3. if there isn't an open source tool available, all of the software in the security area is SUPER expensive.
No company, especially small or medium size, is going to spend that kind of cash without a real motivator.
Even if you do EVERYTHING you should be doing, you will still have vulnerabilities. Its a loosing game.
In my dreams, some combination of closed hardware and/or software (perhaps the latest Intel AMT vulnerability?) leads to the personal information of all congressmen to be leaked--financial, medical, residential, etc. They respond with a "Secure Computing Act" that requires that the all US agencies, as well as any companies they do business with, to use 100% open-source hardware and software.
The more likely outcome would be to nonsensically ban open-source implementations and instead give a monopoly to a small list of "governmentally approved security companies." These companies in turn would be required to produce massive volumes of paper report to "manage the risk and prove that their software is secure."
Why? Money, obviously.
1. employing security engineers who know what they are doing is EXPENSIVE.
2. third party pentests are expensive.
3. if there isn't an open source tool available, all of the software in the security area is SUPER expensive.
No company, especially small or medium size, is going to spend that kind of cash without a real motivator.
Even if you do EVERYTHING you should be doing, you will still have vulnerabilities. Its a loosing game.