Ricardo, can you point me to the security flaws you've discovered and documented? I looked you up on LinkedIn, and you have a long resume in software development --- but no apparent experience whatsoever in software security.
Your claims about QA and security are so wildly outside my own experience and the general understanding of my field that I'm wondering where you get the confidence to make them so forcefully. I've never met a QA team anywhere that could reasonably be left responsible for testing software security.
I don't work with software security and have discovered absolutely no new security flaws. I have, however, experienced many and created some in the long career you refer to.
Still, none of the security problems I wrote into my code could be blamed on highly adversarial conditions - all of them were plain bugs, places I forgot to do something or when I trusted something one should never trust.
The fact you never met a QA team that could uncover security problems possibly stem from them not looking into the code itself and never having the responsibility of finding such problems. Validating compliance, correctness of observed behavior and even user overall experience is also called quality assurance, but it is, by no means, defining of the whole software quality concept.
As long as we're clear that by "them", I mean "a broad cross section of the whole industry, from embedded infrastructure code to 'web 2.0'", and you mean "the fictitious QA team that works the way I say QA teams do", then I think we agree.
Because I'm telling you that you're wrong about the relationship between QA and security in the real world.
Your claims about QA and security are so wildly outside my own experience and the general understanding of my field that I'm wondering where you get the confidence to make them so forcefully. I've never met a QA team anywhere that could reasonably be left responsible for testing software security.