Security is a usability nightmare. All the instinctive and usually lazy things people do are just bombs waiting to explode. I don't know why this continues to be the case. Most platforms for web development should have taint checking turned on to the highest setting by default. SQL access points should scream in your face every time you use a bare query. With a bit more you could even get developers to do the right thing in terms of salts, passwords, and hashes. I think it is clear that pointing people to OWASP and asking them to read their security articles before bedtime is not as useful as it could be. Library writers also need to be involved and use safe options by default instead of opt-in.