Re: Might take a while
Can we please stop the specious engineering analogies? Lots of engineering relies on known, quantifiable methods to achieve nearly the same exact results as 100s or 1000s of nearly identical projects. Even if not identical, components are limited in number, dont change as quickly and have known physical characteristics. Know your field , have a lot of talent, apply a generous amount of overengineering and you should have a somewhat predictably safe product. If it's not, then you're in trouble but the next iteration will fix that flaw and leave most of the rest of the system the same.
If it's super complex, a la space shuttle, dev time is in decades and 1000s of folks check and recheck everything.
Even complicated risks like earthquakes are gradually addressed by years of aggregated wisdom in cookbook recipes, i.e. building codes. Overarchingly you have proven mathematical models to check your systems with.
Many of these conditions apply very differently to development. Wishful thinking and self-flagellation doesn't mean it's a easily transferrable model.
We are faced with nearly the same level of complexity, constantly evolving threats and dev tools, and essentially operate on a custom artisan model where everything is always new. And we most certainly don't have formal mathematical verification methods. And security vs ease of use is not nearly as much in tensuon in most engineeing fields.
Agree with the article though, we need to seriously up our game.