I have a couple problems with the implication that "short time to find/fix" is so acceptable.
1. Some amount of damage was done (and no one really knows for sure) through this bug. A fix was identified rapidly after the bug was -discovered-, but that's a long time after the bug was -introduced-.
2. For some systems, particularly those like SCADA systems where we really have deep information assurance concerns, patching software is not easy! Not everything can use "grab the patched source, rebuild and reinstall" or even "download the patch and install" repairs.
Thus the emphasis Has To Be on preventing these kinds of problems, then defending against them. Fixing them after the system is deployed is by far the weakest strategy. (Thus I salute with a full hand the initiative announced today, and discussed on a related SlashDot thread: http://news.slashdot.org/story... )