I'd suspect that there's plenty of common ground with the CERT set - good practices are good practices.
What I don't see in this discussion is an honest criticism of the SDL practices being published.
I have directly observed (from my position as a corporate developer that works somewhat closely with Microsoft) that the Microsoft's focus on security since 2003 is sincere and pervasive. They take security seriously.
While I'm no friend of ActiveX, the bleating demands that they scrap the
Publishing their internal secure development lifecycle process for all to see is an example of the transparency that is so often trumpeted as a feature of open source development. If you can find flaws in the SDL, I suspect that they'd be happy to discuss it with you. (They've been quite open with our company about their SDL for the past 3 years.)
Having a good process doesn't guarantee perfect results - and I don't think Microsoft is promising perfect results. No sane software development group would. I think this demonstrates an ongoing commitment to security - one that started years ago.
Simply pointing and laughing does not reflect well upon you. Criticize the Microsoft SDL - it's out there, with OSS-style transparency. Start a serious discussion - and offer up improvements, if you can.
Here, in a nutshell, is why a lot of normal, non-technical users have trouble with FOSS...
They don't know anything about how and why Flash crashes their browser - or why Chrome handles it better.
They only know that their browser has crashed.
When someone more knowledgeable says "The problem isn't this, it's something else - so FIX YOUR COMPUTER before complaining" - well... the user just wants things to work, and their browser is still crashing.
Even if they had the time to dink around with their configuration until things were better, I don't think they're especially motivated in that direction. Most people don't enjoy messing around with their computers.
On the upside, your normal, non-technical user might not know enough to be offended by the PEBKAC remark.