This is a great area to focus on - the recent Android vulnerability is a perfect example. How-ever the chain moves all the way up to the end user and application. You mention 10% of code is vulnerable. Simply providing the wrong tool for the job can be even more damaging, and my experience of seeing the actual tools in the field and how organizations were using them is even more prevalent. The incentive for cost, ease of acquisition, misrepresentation, fraud is just to high. Who you deal with can be more important than what you get - but both have risk. I think good oversight and making the process better for both is important. We are probably weak on the who you deal with part.
More information about text formats