I'm skeptical too. "The experts", e.g. HBGary, get pwned worse than having a bunch of crapware on their desktop, but it's for the same types of mistakes:
"So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up. [...]
Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn't actually use them. Everybody knows you don't use easy-to-crack passwords, but some employees did. Everybody knows you don't re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn't." [1]
Granted, this doesn't prove that experts are generally unsafe, and maybe somebody with a beef with these ones in particular would say they're just semi-knowledgeable salesmen cashing in on the cyber scare, but it lends some weight to the idea that too many experts aren't much safer.
Well, my example of HBGary was chosen because they were a firm specializing in computer security. But, as shown by Ars Technica (or claimed by Anonymous) they had some pretty bad security failures themselves.
You do have a point about programmers, or to generalize a bit, people who are more technically-inclined than average but who don't care/know about security. I shake my head seeing things like people flashing community-built Android ROMs with signature checks disabled, closed-source rooting tools, sideloaded APKs downloaded from dubious filesharing sites, "curl http://whatever | sh".
"So what do we have in total? A Web application with SQL injection flaws and insecure passwords. Passwords that were badly chosen. Passwords that were reused. Servers that allowed password-based authentication. Systems that weren't patched. And an astonishing willingness to hand out credentials over e-mail, even when the person being asked for them should have realized something was up. [...]
Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn't actually use them. Everybody knows you don't use easy-to-crack passwords, but some employees did. Everybody knows you don't re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn't." [1]
Granted, this doesn't prove that experts are generally unsafe, and maybe somebody with a beef with these ones in particular would say they're just semi-knowledgeable salesmen cashing in on the cyber scare, but it lends some weight to the idea that too many experts aren't much safer.
[1] http://arstechnica.com/tech-policy/2011/02/anonymous-speaks-...