Vice-president of security strategy for CA Simon Perry said that vendors and end users needed to push for a higher quality of secure programming code.
"Right now we're all on a treadmill," said Perry. "And we all need to change that before we can get off. We have to change the way our infrastructures are developed.
"We need to draw attention to the fact that the [patching] process is broken. And we are not pushing a high enough demand for quality and secure coding."
Perry added that the government needed to play a more active role in monitoring the quality of technology products: "The government can recall a pizza because the quality is not right. But software has no recall program. We have to get better at driving this point."
The security industry was also in a sorry state because companies were convinced they were working proactively to solve the patching problem, said Perry. But he added that people had just improved on reacting quicker to vulnerabilities.
"We're not being proactive," he said. "We are getting better at preventing vulnerabilities before exploits occur, but that's being reactive. There has to be a better strategy."
"I was in one of the leading IT universities in Europe," said Perry. "Only to discover that there was not a single lecture on secure coding. That's a pretty sad indictment of where the security industry stands today."
Perry also advised delegates to refrain from entirely blaming vendors for the industry situation: "It's not about beating up your nearest vendor. "
"We're all builders in this, and we have to change the way we measure the success of projects. Now people are rewarded on time and cost, not on the security of code development."
Perry was speaking at the Secure Computing Conference in London, which ends tomorrow.