I am very skeptical about the ability to clean up the coding since features always trump design in our free market society – for a nice European persective on the ‘right way’ to write code see Clive Robinson’s comment at:
http://www.schneier.com/blog/archives/2005/02/regulation_liab.html#comments
IMHO his advice is DOA (even a fine German company like SAP has some of the craziest spaghetti code imaginable). I say that as someone who has tried to secure common applications only to repeatedly discover that vendors can’t tell you have their applications really function – such as reading a Microsoft paper on what network ports are needed for an application (they specify unneeded ports and forget others that are critical).
The best I can imagine is that we manage the risk and those whose governance (or luck) fail them will go extinct as ‘better’ solutions come along. (Will we see that with Microsoft losing market share to Firefox or Apple?)