I just wrote an article over on the SDL blog about my observations from the industry to Jeff Jones' vulnerability analysis and the lack of security progress by our competitors.