I've often felt that the way to actually force companies to increase the security of their software products was for the insurance industry to get involved. After all, insurance should be paying claims for security issues. This was an idea covered as part of The Software Conspiracy, but unfortunately many laws favor software vendors, even when they write software that doesn't live up to the claims or expectations of customers. This is especially disconcerting for database professionals, as so much software accesses a database.
Perhaps there's another way. I read about a new non-profit called CITL (Cyber Independent Testing Laboratory) has been established to evaluate and rate software in a more organized way. Their goal is perhaps to shame companies to write better software. Actually their goal is to help consumers and companies better understand how secure products are based on the actual performance and evaluation of the software. The shaming is, hopefully, a secondary goal.
The organization is modeled after Consumer Reports, a publication that helps individuals compare the capabilities, quality, and performance of a variety of products by having experts rate each item. This has been a popular model in the US, and I hope the CITL will become popular and valuable as well.
The initial focus of the lab will be on more widely used consumer software, but I hope that they move into business applications as well, helping each of us to better understand how secure systems are. Perhaps more importantly, I hope the ratings will help management at companies compare security ratings, hopefully having to weigh increased insurance costs for products that are poorly written against databases. Perhaps this is the way that we might see those COTS systems actually stop using "sa" to connect to the database.