Some interesting papers came out of the third annual Workshop on Economics and Information Security. If you're an IEE Computer Society member you can read the full text. Eric Rescorla's article, "Is Finding Security Holes a Good Idea?", provides a statistical analysis of a point I have long held: that disclosure of holes is the prime driver for exploits, and that holding off on disclosure (which also means holding off on the fix) can in many cases reduce costs and improve security. That may be counter-intuitive, but read Rescorla's paper and judge it for yourself.
S&P: Economics of Information Security