To me, this problem should be fixed with legislation. Even if security flaws are obviously bad, it’s not as bad as taking away time/energy from profit centers. Even if there’s a fine, that will only get factored into the cost of doing business while still being more profitable than actually caring about security unless the cost is high enough. That might be quite bad for startups who need to compete with established players who can spend more on this problem. What’s the solution?
It does exist in the medical world with laws and regulations. For example you can follow the standard IEC 81001-5-1 to tell you what to do. It’s not perfect but it’s a good start and people generally agree that it’s good to implement.
My own solution would be to stop the proliferation of web sites as a disservice, and focus again on keeping private data private, i.e. on the client’s computer. If you don’t have it, you can’t leak it.
