Actually, most IT security people don't understand security either. They talk in absolutes, and every exploit is talked about as if it's one that if you don't solve it you are completely unprotected and may as well not bother with securing anything.
Most of them pay lip service to 'defense in depth', but don't really think about it, or about what they are allowing to go from layer to layer (hint, a machine on one tier that just reformats a request and sends it down to your next tier without doing any validation of the request is adding almost zero security)
In addition, many security people are completely unwilling to discuss any trade-off in security vs anything else (availability, time to market, performance, maintainability, etc)
As you say, Security issues are one more risk that everyone must deal with.
The problem is that it's _really_ hard to evaluate the risk posed by a security hole. The probability that a particular vulnerability will be attacked is basically impossible to define. Something may seem really hard or obscure, but this can change at any time with no notice (someone writes a script-kiddie tool that makes a really hard attack trivial to execute and publicizes the attack and something went from 'extremely unlikely' to 'extremely likely' in an instant.
David Lang (working security in banking for 16 years)
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds