As the lead author of the OWASP Guide 2.0, I commend Marcus for stating his view that buggy software can be improved by performing code reviews. This has been my experience as well, but I am biased :)
However, I found Marcus comments jilting with my own experiences in the large corporate sector.
I currently work at a very large financial institution which has for the last 25 years has made the commercial decision to not patch, not upgrade and not be bleeding edge at any time. Most workstations are still NT 4.0. Most servers are still Solaris 7. We use an ancient Java.
This approach costs them so much downtime and lost productivity, through:
a) known exploits work using known configuration issues and poorly written *old* software ... which has been fixed by the vendor
b) known bugs which cause avoidable downtime, which are fixed by the vendor but are yet to be deployed
c) insecurable foundations - you simply cannot change a large institution in a meaningful way which has embedded such old software centrally into its daily operations.
d) avoidable downtime and data integrity lossage from worms and trojans which sweep the network on a regular basis
Sure it saves them a bit of cap ex costs with their software vendors as they seem to upgrade once in every 10 years, but it demonstrably is not secure and it costs them zillions in op ex. It does not engender scalable data integrity.
At this time, the usual bogeyman (Microsoft), which is an easy target for many who do not know any better, have cleaned up their act. Their modern stuff requires less patching, less out of the box twiddling to make secure, and is generally more robust in the face of bad software running on top of it.
For example, I have just finished a review of a system which contains both Windows 2000 and Windows 2003 hosts. The Windows 2003 "to be fixed" section is half a page long and has only low risk findings. The Windows 2000 findings is four pages long, has many high risk findings, and could be summed up by "Upgrade to Windows 2003 - it's cheaper". Microsoft has made this jump in every one of its recent products.
However, if a person followed Marcus' recommendations to avoid buying buggy software, well, it's my personal belief that you'd be shooting yourself in the foot, as the fixes are there to be had with the current versions. Ditto with Sun with Solaris 10 with app domains, and RH EL 4, with SELinux enabled by default. This is good stuff, which will improve security even for those who set and forget.
The "don't patch and don't touch" aspect simply does not wash with on the ground experience of large corporates who do exactly that.
It's about making reasonable choices to reduce the attack surface area. There are many ways to do that, and in my opinion, good quality out of the box configurations and later software benefit from recent advances in secure coding. 10 year old software has none of this.