Security is a design choice. It is a choice that needs to be made from the get-go, one that will always cost a significant amount of money and time and one that can work against the intended goal of a project. I just don't think companies and the people in them consider it a priority enough to pay for that design choice - the risk appears small and distant while investments are large and upfront. Security usually comes in to play when something is large enough that it's too late to "make" it secure. (I once had an airport logistics professor yell at me something along the line of "security is binary! is it secure considering the adversaries, or not?") I totally agree that secure solutions should be standard, but I just don't see a good way to make it the default.

At the same time, I also think we're fighting a losing battle. This morning I read about Tinder storing 800 pages of data for just one female journalist. Privacy and system security are not the same thing, but the same reasoning is used - we, the user, should just never have anything to hide. Just don't be an idiot! The problem is that my digital footprint is probably already too large for me to be anonymous. My IP's been linked to my home address. My grocery store probably keeps track of what debit card I use. And now fuckin' Tinder keeps a record of when, where and with whom I had a date last year and could totally sell that to some ad company to influence what ad I get to see.

goobster, were you careful enough when picking your IRS? You weren't, because by engaging in society you inevitably leave a (digital) footprint. In very much the same vein that our privacy has eroded beyond the point that we can be careful enough to avoid harm, I think the security of our digital systems in general has dwindled to a point where "just be careful" doesn't cut it anymore.