Excerpts from
Economist George Akerlof wrote a paper called The Market for Lemons, which established asymmetrical information theory. He won a Nobel Prize for his work, which looks at markets where the seller knows a lot more about the product than the buyer.
Akerlof illustrated his ideas with a used car market. A used car market includes both good cars and lousy ones (lemons). The seller knows which is which, but the buyer can't tell the difference, at least until he's made his purchase. What ends up happening is that the buyer bases his purchase price on the value of a used car of average quality.
This means that the best cars don't get sold - their prices are too high. Which means that the owners of these best cars don't put their cars on the market. And then this starts spiraling. The removal of the good cars from the market reduces the average price buyers are willing to pay, and then the very good cars no longer sell, and disappear from the market. And then the good cars, and so on until only the lemons are left.
In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market.
The computer security market has a lot of the same characteristics of Akerlof's lemons market. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time. This means the less-secure product will be cheaper, sooner to market, and have more features.
I see this kind of thing happening over and over in computer security. In the late 1980s, there were more than a hundred competing firewall products. The few that "won" weren't the most secure firewalls - they were the ones that were easy to set up, easy to use, and didn't annoy users too much. Because buyers couldn't base their buying decision on the relative security merits, they based them on these other criteria.
Security testing is both expensive and slow, and it just isn't possible for an independent lab to test everything. A complex software product is very hard to test well. And, of course, by the time you have tested it, the vendor has a new version on the market.
How do you solve this? You need what economists call a "signal," a way for buyers to tell the difference. Warrantees are a common signal. In reality, we have to rely on a variety of mediocre signals to differentiate the good security products from the bad. Reputation is a common signal - we choose security products based on the reputation of the company selling them, the reputation of some security wizard associated with them, magazine reviews, recommendations from colleagues, or general buzz in the media.
All these signals have their problems. With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.