> And the really odd thing is that it's usually WAY easier to address this kind of insecurity than it is to fix problems in software, especially COTS products. You just have to try. Yes, it costs a bit, but it's not exactly exotic and it's not all that expensive. Firewalls are cheap, faster than ever and not terribly difficult to manage anymore.
No, it's usually WAY difficult to address this "architecture" insecurity as you put it. I really don't understand why you're even mentioning firewall costs at all.
To correct that kind of "architecture" issues you often need to add layers/filters/equipment/barriers into the data flow, which introduces lots of issues and in the general case is expensive. Specialy when you have a legacy infraestructure where the Internet is a later addon.