Deadliest Web Attacks has published an article rallying against the dearth of high quality, secure code. Although most code is never seen by anyone but the core development team, in light of the recent Symantec source code theft the article is particularly pertinent:
How would you alter the risks associated with your web site if its source code were stolen? Hard-coded passphrases? String concatenation of SQL statements? How much security relies on secrecy of functionality versus secrecy of data? Think of it in terms of Kerchoff’s Principle, roughly “The system must not require secrecy and can be stolen by the enemy without causing trouble”. Kerchoff was writing about cryptography, but the concept applies well to software.