I'm not so sure... I work for a *very*large* company, and there's just too much remediation work to do. Every year, I have to report known insecurities in the software we have. Every year, it's nearly the same report. There's no money/time for remediation, and the auditors are satisfied so long as all the insecurities are listed in our report.
I really wish they'd allocate some time/money to get them fixed and off the list!