Russ McRee at HolisticInfoSec.org takes trustmarks (aka website security certifications) to task frequently. His most recent salvo is pretty potent, as he makes the point that these certifications do not mean the website is risk free.

While his point is clear and beneficial to consumers, security professionals recognize that there is no way to eliminate risk except to turn things off and walk away. Certifications, whether they are being associated with people (CISSP, Ph.D, etc.) or websites, are signaling mechanisms designed to provide a starting point or shortcut to help folks assess these entitites when there is no other information available to them. They also commonly create a "barrier to entry" for others if they get popular enough (e.g. there are ongoing discussions in security about the value of the CISSP, but there is no denying that enterprises commonly use CISSP as a filtering mechanism when filling positions).

What I am missing from Russ is some set of recommendations for making things better. Simply taking to task the simplistic certifications is too easy (the weaknesses are fairly broadly recognized, in my opinion). The harder part is designing a system that would/could work better. He seems like a sharp guy, and I bet he has some ideas on this.