It’s aimed more at executives, and certainly talks about the disconnect between actions and words. People talk about security being important, but rarely seem to make fundamental changes that might improve things.
I tend to agree, though I also think it’s not as cut and dried, and often we have a disconnect in what we really want or need from security. Do we need chip-and-pin cards v our signature ones? It’s arguable that the former are more secure, but there have been incidents, and without a doubt the large scale of the US credit card market would mean more and more attacks. There is an argument that the devil we know is better than the one we don’t.
However there certainly are not great coding practices in many organizations. I think we far, far too often do not train or show new developers how to code more securely. We also don’t require older developers to change their habits to implement new techniques that limit issues. We also don’t bother to review code that consultants write and require security. It’s far too easy to “just get it into production” for many people.
Overall, I tend to agree with Schneier and Brian in that we need to rethink security in our languages, but also fundamentally in how computer systems work. We also need a culture of security, something that won’t take place until we mature as a digital civilization.