There seems to be some odd blog war going in a triangle between Thomas Ptacek, Some guy called Lindstrom, and Adam Shostack.
Lindstrom's posts can be seen here:
If you read his posts, you can see that he clearly has no clue about code auditing. Anyone who has a passion for bugs and has done some serious work on finding bugs will agree that in high-exposure programs such as OpenSSH or IIS it is getting harder and harder to find decent bugs. And there would not be a hacker-side anti-disclosure movement if this wasn't the case.
It is amusing how everybody and his dog tries to dress up their ideas in fake-economic-speech, too. Economics has gotten to be an interesting form of science -- someone comes up with an idea and then tries to build "science" arguing in his direction. The empirical part is usually showing that at least one set of data does not contradict the claim and then deduce generality. Bloody brilliant.
Ahwell. Reading the discussion makes me tired. Anyone who thinks that bugs are not getting rarer in core internet daemons is living in a parallel universe or hasn't audited in recent years.