Caroline note: I'm not at all wedded to this conclusion, especially the lame final sentence. Please feel free to improve it! Perhaps Andrew and John might go into the last paragraph and add something more about the drawbacks to your proposed solutions for improving software (liability, licensing)
The ultimate solution to making software more secure is a technical one: new technologies, such as tools, and more skilled engineers are the keys to it. Other solutions, be they legal, economic or policy, simply push organizations toward devoting more resources to improving the technical underpinnings of software.
Policy-makers can use their law-making power and their power over purse-strings to encourage organizations to devote more resources to improving software security. They can threaten software vendors with a stick by enacting software vendor liability laws. They can encourage the market to push vendors toward making more secure software by, say, having the government refuse to purchase any software that has not been certified by an independent lab. Or they might extend carrots to help organizations improve the technology and technical skills behind their software: grants to universities for research into better tools and languages, or to start software engineering programs.
There is no one easy answer to software security. Our paper has described several possible approaches for improving it and each has problems. Vendor liability might stifle innovation. Licensing too. And since we do not currently have the ability to create an independent lab that gave can meaningful ratings, it might be best not to try. We hope after reading this paper that policy-makers are now a bit better equipped to avoid poor decisions on this issue.