A result of a study by Kasperski lab is fairly promising – even though it shows the problem being raising up the stack:
For the very first time in its history, the top 10 rating of vulnerabilities includes products from just two companies: Adobe and Oracle (Java), with seven of those 10 vulnerabilities being found in Adobe Flash Player alone. Microsoft products have disappeared from this ranking due to improvements in the automatic Windows update mechanism and the growing proportion of users who have Windows 7 installed on their PCs.
The article can be found here.
So, I think all application developers should start to use the Security Development Lifecycle.