Huge efforts and money are spent protecting the edges of the network - whether it be firewalls and other router configurations, OS level configurations, and other filtering tools (such as virus detection and scanning, and log and packet inspection and analysis tools). There are also plenty of security companies willing to sell you a magical black box that will solve all of your security problems.
The opposite seems to be the case when it comes to spending time and money on the security of applications used by internal and external customers - either through retrofitting existing applications, or when building new applications. Companies don't want to spend money to retrofit sunk capital, and I don't see security firms talking about or creating tools and common standards for building new secure applications.
Given this dichotomy, do you think that is a correct characterization of the problem space, and do you think we are spending our time and money in the right places as a result?