A large issue here is that companies that get what they deserve will try and keep the lid on the entire debacle if at all possible. The result is apathetic managers who think security hazards only exist in the minds of the technophiliac loonies they don't get along with anyway. If they happen to be feeling generous they will, as someone put it, maybe make security an item on the checklist.
One can see why the Java security model is so popular; when the language keeps your leash so short you can hardly do anything wrong (or anything period), clueless newbies (read: utterly uneducated people who might even have been ushered into the job; I'm not putting negative connotations in the term here) will not produce security holes the quality of merlyn's demonstration. Of course they'll still fail to notice possible vulnerabilities for SQL injection, cross-site scripting and other subtleties. (Which really aren't that subtle anymore.) But it looks good on paper and gives the manager who has no idea what security is about the satisfaction that he chose the "safe" technology.
There's a hoarde of rude awakenings waiting to be unleashed..
Makeshifts last the longest.