A blog post by a leading IT security expert explains why the market for security products fails because buyers are unable to evaluate products. This is a more striking example than those I presented earlier because it concerns sophisticated professional buyers like banks and intelligence services.My previous examples concerned buyers of consumer electronics and genetically modified cotton seed. The example that Bruce starts with fooled people ranging from the French intelligence service to banks.
Although Bruce does not take the argument beyond security products, the same problems help explain why people do not buy secure software in general. All computers handling really sensitive information or high value transactions should run something as good as Open BSD. We know from security breaches that many do not.
In the past I have been inclined to blame carelessness (choosing the easy solution rather than the secure one), part is organisational politics (choosing an insecure solution that allow someone else to be blamed for the breach, rather than a secure solution that would leave you with the blame if it does go wrong) for bad choices. Now, it appears to me that the inability evaluate the available choices is also a key factor.