Is there a need for a kind of "Underwriter Labs" organization that would test brands and versions of software and put their "approved for consumption because we think it's exploit-free" label on those products so users could feel like they could trust those products to some degree? (Although I'm not sure you could prevent configuration errors by admins.)
Instead of paying penetration testers, would it be cheaper to pay insurance companies to cover loses that "exploit-free" labeled software failed to prevent?