Steve Lipner of Microsoft writes in The Ethics of Perfection that there is a trade off between usability and security. It’s a classic debate and well known argument that tries to answer the question: “whether it was ethical for a company with billions of dollars in the bank to ship a product with known classes of vulnerabilities.”
Perhaps, the Gordon-Loeb model can help shed some light on this question. Although this quote deals mainly with information security investments from a corporate side, it may apply equally well to vendors:
The Gordon-Loeb Model also shows that, for a given level of potential loss, the optimal amount to spend to protect an information set does not always increase with increases in the information set’s vulnerability. In other words, organizations may derive a higher return on their security activities by investing in cyber/information security activities that are directed at improving the security of information sets with a medium level of vulnerability.
When applied to vendors, perhaps we can say that shipping a product with some vulnerabilities is OK (and inevitable), especially when there are other mitigating controls in place. The product just shouldn’t be awash with them.