Hi Evert,
There certainly is a balance out there. Some security vulnerabilities are more annoyances than catastrophes, or require more financing than it would cost to suffer an attack. That said, there are two other considerations before we get to determining when the balance is sufficient:
1. What is the minimum level of security to implement?
2. At what point have we done enough that attacks can be blunted/mitigated?
It's probably not entirely apparent from my blog posts, but the book I'm writing does far better at hinting at those. Incidentally,
http://phpsecurity.readthedocs.org for those on the list who haven't found it by word of mouth yet (it's a WIP).
In observing PHP (been using it since '97/'98) we have serious ongoing problems with both. There are continual errors made in reaching a minimal security defense. I could name names but this is based on tools/libs built by professionals that are either growing popular or new enough to be in my recent memory.
Secondly, programmers underestimate potential damage all the time. It's one reason why alert(document.cookie) is such a funny XSS example. Just use HttpOnly flags for your cookies. Swap that for something realistic, however, and you should see jQuery, XmlHttpRequest, Prototype and other libraries being used by the attacker. Who needs a cookie, silly, when you can just get the user to instantly make all the requests you can dream of? Another component of underestimating damage, is that programmers don't always get the concept of "attack chains". One small vuln can be leveraged to use another, then another, and then...boom. (Recent discussions re XML External Entity Injection show signs of this.)
Everything CAN be broken. There are new exploits and tools by the week. Security is a fast-paced business with white and black hats racing to find new ones. There IS a balance to consider also. However, I do think PHP suffers from a disconnect in figuring out what that balance is and often ends up setting it far too low.
And...now I'm blogging on a mailing list again ;).
You end point is spot on, Evert - we need to be able to explain the risks, attacks, etc in a way that makes them understandable. Too often we use simplistic or obvious examples that don't communicate this properly, or communicate it as something silly that shouldn't be worried about.
Paddy