I've been reading and enjoying Gary McGraw's three books on application security. Each and all is a phenomenal read. [And worth buying...Won't loan mine]
Bruce Schneier, eminent Cryptographer and Security expert, raises an interesting point. From his perspective, blaming hurried system administrators for not patching their systems is tantamount to blaming the victims.
Consider the HUNDREDS of Oracle patches we've been hit with. Where's the problem? Is it the those DBA's who 'refuse' to apply a hundred or more patches to their production databases during a single month? Or is the problem that some vendors may push application security to the bottom of the priority barrel?
Another great point? We purchase and patch unique tools at the network level to try to contend with fundamental errors in application coding security.
Occasionally, Informit offers these three books in a package. If you want to be exposed to great thinkers and the importance of application security, consider buying them. Or ask to borrow my copies 8-)