A lot of software developers are doing what RMS says a lot of time. It's just that almost noone does it all the time.
It's clearly evident from the amount of GNU and GPL software out there that wasn't written by RMS that people are following his ideas. And that those ideas have succeeded, simply by the success of that same software in the marketplace.
It's not a failure of the ideal when developers of open source also write proprietary software to pay the bills.
I bought a Lenovo X131e Chromebook second hand for exactly that purpose. Went online for the instructions to boot it into developer mode so I could change the OS
I now have a device that runs ChromeOS and nothing else. So it's going to get sold on to the next victim. Make sure if you do buy one for this purpose that you really are able to change the OS.
The Open Web Application Security Project website is a great place to start browsing from, to investigate both pen testing and secure development.
I would also recommend getting some familiarity with the PCI DSS standard. It is aimed at companies involved in online payments (and a bitch if you have to prove compliance.) However when used as a descriptive framework rather than a prescriptive one, it's great foundation for planning a company's IT security aspect.
I'm sure there's a bunch of other security standards for other industries that could be used in much the same way. A good security consultant should at least be able to name check them.
Who else remembers, back in the day, when whistleblowers used to escape from Russia and seek political asylum in the USA?
I feel old.
Consider a horse that isn't stupid.
Trust me, the only reason anyone can ride an animal that weighs more than 1,000 pounds and can kill us with a single kick is because they are stupid.
So I can dual boot two actually useful operating systems.
Mac OS X for video editing, Linux for development - and nearly everything else, really.
Science is what happens when preconception meets verification.