In the beginning of Practical Cryptography by Niels Ferguson and Bruce Schneier, the authors make a comparison between structural engineering and computer engineering. They make the argument that structural engineers learn from their mistakes and build stronger and better. Yet, they claim software engineers make the same mistake time and time again. People are satisfied with patchwork solutions.
I don’t think the analogy is apt. When structural engineers screw up, gas tanks explode, bridges collapse, space shuttles disintegrate. People die. There isn’t a large margin of error. There isn’t a tendency after a bridge collapse to use a crane to put the span back in place, give it a quick weld and move on. This is why large latitude for safety and security is built into the product.
When software engineers screw up, people generally don’t die. The damage isn’t immediate, it often isn’t visible. Its much harder to get people to pay for security. Even if you wanted to, its not like a bridge that you can condemn and start over. Its widely deployed. You’ve got to patch and the patch will have unintended consequences.