The government has now joined the fray with a proposal to develop standards for software security. Some of the sharpest minds in software security Gary McGraw, Brian Chess and Michael Howard among them have spent years trying to nail down a framework for this task, with varying degrees of success. The problem is that we don t have a meaningful model for the severity of security vulnerabilities, CVSS notwithstanding, let alone for the probability that they will be exploited. Building this kind of model requires some pretty serious econometrics.
Source: https://threatpost.com/cybersecurity-bill-tries-standardize-software-security-040709/72769/