And again you are assuming that these vulnerabilities are introduced by cheap untrained or foreign programmers. Massive silicon valley firms who pay top market rates do the same mistakes. I am sure there is a correlation between pay level and understanding of security but we are very far from a position where if you hire a team of developper, a business can have any confidence that they won't do something dumb like md5 a password, concatenate a string in a SQL qry, rely on user supplied array length in an unmanaged language, not protect themselves against CSRF (I suspect 50% of professional web dev still don't even know what it is!), etc.