Start employing people who actually know what they're talking about
Had to chuckle when I read this as the reason UK Gov are asking for this is simply because they have no idea themselves.
Unfortunately I can't find the source but several years ago someone high up (possibly David Cameron but can't confirm) came out with an absolute gem of wanting to work with industry to find a way to "delete a photo off the Internet". A total lack of understanding of how the technology works. No reference to the fact people could easily copy and redistribute the material before that magic button was pressed.
Then we have nonsense like PCI Compliance. Oh yes, as long as you have a written procedure and your staff know where it is, that's enough to label your company as "having secure practices".
Essentially you've got people who are not fit for purpose, coming up with plans which are not fit for purpose either. That's the real issue. Maybe get some people in to educate the Government on how technology actually really really works? Too simple?
At the other end you have bean counters who think spending extra time (and therefore money) on secure development is a waste of money. I've no words or advice to people who are that stupid.
Once did some work for the NHS. Had to write pages and pages about how we'd work with security best practices in mind. Only to be told they wanted said application to run in IE 6 and handed over a password to a related system which was anything but secure.
So, they're just a few things...