Cognitive Dissonance in Security

Two continuous points of cognitive dissonance in security… as I read Brian Krebs' Security Fix post on firefox vs. IE:

  1. If finding vulnerabilities makes software more secure, why do we assert that software with the highest vulnerability count is less secure (than, e.g., a competitor)? (It is even more ironic that this has become more questionable an action as "favored" software has fared worse in this category).
  2. If disclosure date is the day that software becomes "at risk" why don't we try our hardest to prolong that date?

Conclusion: nobody really knows what the heck they are talking about when it comes to "secure software."

An alternative measure:
The Spire Vulnerability Rating
Why We Need the Spire Vulnerability Rating