While it's certainly better to make sure the fundaments of your software stack are sound --and we should, we must--, if the application has holes in it big enough to drive a state circus through, you're still hosed. That's the problem with security: Just patching holes isn't good enough. You'll never find them all. So you have to engineer everything you have, use, and make, to contain as little holes as possible. "Due dilligence" as the banks practice it with their tiger teams and stuff is very slightly better than not doing anything at all, but in the greater scheme of things it's still laughably futile. What openbsd does is fairly useful, but now do that with every critical application in use. That is simply not going to happen.
But the point is that the DHS does not, in fact, have control over what software the rest of the country runs. So they can do little more than raise a little awareness and hope people will demand and make better software. Yet they don't do that, they're mumbling things about cold war tactics and whatnot else. It's bare chested putin language, but of little consequence.
In fact, laughably so, especially because it reeks of cargo culting. "We did this with the nuclear standoff, so if we do superficially similar things in this entirely different domain we'll get those good times back."
As someone else mentioned, as long as governments believe in this "cyber" thing, they're mainly deluding themselves. They can do little else because countries are all but irrelevant there. They can make themselves a good solid nuisance, even a deadly nuisance at times, but in the end what nation state you belong to doesn't matter on the internet. At best you'd get "optional" countries; be german in the morning and a jap at midnight. And what self-respecting government wants to be optional?