Security problems caused by clueless programmers
There isn't always much we can do unless security is a project in and of itself. Every faulty line of code needs to be fixed and regression tested. I have even had a client ask me to revert back to vulnerable code since their client's depended on it. I can hear it: "That's a feature not a bug".
Some of the most notorious attacks such as cross site scripting and SQL injection attacks are trivial to fix: convert all data strings into the encoding used by the medium. This shouldn't be more than a few lines in any modern language, and that's only if the escape/encode functions are not already defined by the language.
Problem is, amateur programmers tend to make the same mistake hundreds of times, and by the time they're discovered, the damage is done and the product is already in production.
And then when it's time to fix the vulnerabilities, users go about solving it the wrong way. Like rejecting the data (via regex or other means) in lieu of proper encoding of the fields. Even Asp.Net pages display a server error when it sees a less than sign. Why *can't* I use "<" in a text box? And Why *can't* I use an apostrophe in that name field? Many names have an apostrophe. Should we do away with these keys on the keyboard since developers don't have a clue how to handle them properly?
The problem is, employers just think about cheap labor and not so much about quality when choosing among candidates. Until that changes, the vulnerabilities will remain common.