CNet.com has an interesting account of how Microsoft became more aware of security and changed their internal practices to not only deal with problems but to avoid them whenever possible. While it is somewhat "rah, rah" in it's tone, it seems to match the facts. In other words, it isn't made pretty just for your consumption. I think it is worth a read. Plus, I enjoyed it.