I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.

How would it affect your IT department's focus if you could have a product with perfect security quality, or in other words, no expectation of exposure due to a vulnerability?

Read my recent CSOonline entry The 80/20 of Managing Software Risk for my thoughts.