That's one way to see it. I usually don't think about security in terms of individual programmers' capabilities but more what the company behind them wants to accomplish. Security should be a process. Compare the code coming out of Microsoft in 2000 with 2010 -- still not great perhaps, but what a difference a change in objective can make.
Antivirus programmers are paid to add new parsers. Not to assess the security implications of the software. The result is predictable. Sourcing competent programmers would make zero difference as long as they have no incentives to change their process.
Antivirus programmers are paid to add new parsers. Not to assess the security implications of the software. The result is predictable. Sourcing competent programmers would make zero difference as long as they have no incentives to change their process.