I have done research after a reported SQL injection vulnerability (yes, by a student who decided to report the error and got a nice thankyou for reporting it) and noted other attacks from abroad in the logs at regular rates.
What I miss in your story and in the comments is the option "people calling who don't understand free software". I can imagine some users at companies 'thinking': We use this software in our business -> someone at our company has officially installed this -> we don't install software without a support contract -> there must be a support contract but I'm not going through the trouble of finding it.
Usually those 'costs' were caused by companies trying to make the hacker pay for all the work surrounding the case and all the backlog in securing systems done as part of the clean-up operation in the aftermath of the break-ins.
I wonder if companies will overstate costs under these rules too or whether they will understate them because the numbers aren't used to make someone else pay.
Next up, IPv6!
``Browser vendors have the right incentives because users have a realistic choice of browsers. Flash is an all-or-nothing affair.''
And that is a real problem for users, and not just because of its effect on security. Only Adobe makes software that can handle all the Flash applets out there, and anytime there is only a single supplier, the incentives to make things better for customers aren't there. Adobe has been pretty nice with Flash, considering.
Seems to me there _is_ an easy fix: disable that behavior by default (why would you want it, anyway?). Then, for sites that are broken by it, allow it to be selectively enabled.
Of course, the fact that Adobe isn't fixing it and we aren't allowed to fix it nicely illustrates why having the whole world depend on a piece of proprietary software is a bad idea at least from a security point of view.