"The current state of secure software development by corporations both large and small is a mess.
Software vendors need to realize that they must begin exercising due diligence when producing their software products. Microsoft dedicated itself to secure development practices some years ago, yet its developers are still taking months to fix reported vulnerabilities. If an industry giant like Microsoft cannot get a grip, it really does not bode well for the rest of the industry.
While many companies make a passing attempt at improving their software products all too often other pressures win out. Software companies that will delay a products launch for the sake of a code audit, third-party threat testing, or an extended quality-assurance (QA) cycle are few and far between. Sadly, the secure development life cycle (SDLC) is not always adhered to by the software vendors, and the first casualty in this process is typically quality assurance." - Securityfocus
Part of my job involves creating an SDLC for the company I work for. Having spoke with many companies both large and small I agree with this article that most companies haven't figured out proper integration of security testing in development and QA. I consider this sort of initiative to still be fairly new to the industry with lots of room for improvement. The real challenge is finding the right balance for your specific development organization, and understanding that one approach does not fit all even within the same company.
Article Link: http://www.securityfocus.com/columnists/476