-{ Quote: "The standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it. This was true in the 1960s when buffer overflows were first exploited to attack computers. It was true in 1988 when the Morris worm exploited a Unix vulnerability to attack computers on the Internet, and it's still how most modern malware works.

Vulnerabilities are software mistakes--mistakes in specification and design, but mostly mistakes in programming. Any large software package will have thousands of mistakes. These vulnerabilities lie dormant in our software systems, waiting to be discovered. Once discovered, they can be used to attack systems. This is the point of security patching: eliminating known vulnerabilities. But many systems don't get patched, so the Internet is filled with known, exploitable vulnerabilities. " }-Bruce Schneier (http://www.schneier.com/blog/archives/2008/05/the_ethics_of_v.html)

Mistakes? I don't think so. People program in a certain manner and many times don't have the clairvoyance of being able to know all flaws beforehand (or they are otherwise too lazy to think them out). Programmers DO NOT update software unless a change is requested or something goes bump in the night. "Optimization" is NOT ongoing nor the expected destination no matter what management or the vendors say. :P

-{ Quote: "Mistakes? I don't think so. People program in a certain manner and many times don't have the clairvoyance of being able to know all flaws beforehand :P" }-

Knowing that there will always be someone who will take advantage of a weakness in an OS to cause mischief , and if a programmer does not realize this weakness then it is a mistake of omission. ONLY AN OMNISCIENT PROGRAMMER CAN CREATE A MISTAKE LESS OS!!!

All others must accept attacks sooner or later.

-{ Quote: "Mistakes? I don't think so. People program in a certain manner and many times don't have the clairvoyance of being able to know all flaws beforehand (or they are otherwise too lazy to think them out). Programmers DO NOT update software unless a change is requested or something goes bump in the night. "Optimization" is NOT ongoing nor the expected destination no matter what management or the vendors say. :P" }-
-{ Quote: "
Preventing buffer overflow exploits

Buffer overflow exploits can be prevented. If programmers were perfect, there would be no unchecked buffers, and consequently, no buffer overflow exploits. However, programmers are not perfect, and unchecked buffers continue to abound. When unchecked buffers are found, vendors often release patches that correct the problem.Unfortunately, keeping patches up to date on a large numbers of systems is difficult and many system administrators fall behind in patch deployment.
" }-
Source : http://www.mcafee.com/us/local_content/white_papers/wp_ricochetbriefbuffer.pdf

OpenBSD tried to do code audits and that was abandoned.

We have version tracking as part of software development. That was instituted to prevent confusion when you updated programs. Of course, I NEVER got confused about my programs and think this mandatory adjunct system is a nuisance. 8) :P

Is there research on whether it's more a case of new programs entering the market are more of a target (which would affect generally a smaller number of people) or is it always the established programs (microsoft) with a larger market share?