Nick Coghlan writes:
As you point out, most language development teams do very little to try to educate their users about security issues.
That's partly because it isn't going to be terribly effective. Security is a difficult subject, not one that's going to be usefully treated in a couple of lines here, a couple more there. And it is generally an application issue, not one that is specific to individual features.
If we're serious about this, I suggest following the RFC pattern: *every* module's documentation should have a "Security Considerations" section. Probably the content will be basically the same as the existing warning boxes, but with a consistent approach throughout the docs it could convey the importance of always thinking about security.
The consequences of that are clearly visible in the world around us: when security is treated as an optional afterthought,
But (FWIW) that's what warning boxes looks like to me. An afterthought. Not a systematic attempt to encourage security by teaching about secure programming. By your own words, we are nowhere close to a world where "a word, to the wise, is sufficient."