Having read about multiple "security audits" done by under the PCI-DSS and similar mandates, my faith in their effectiveness is pretty low. This is an (admittedly extreme) example: http://serverfault.com/questions/293217/our-security-auditor...

I'd rather see some security standards (updated yearly or so) and heavy fines and reimbursements after an hack (not necessarily malicious - proof of concept published by a white hacker would do), if the security was lax. Triple them if the company hid the fact that they had been hacked.

It's just impossible to avoid being hacked. If you're a big enough target, someone on the bleeding edge is going to have the desire and ability to get you. What if you're hacked because of a secret NSA backdoor installed in some firmware?

Fining companies heavily for being hacked is like fining someone for being rained on. Except, in this case, the rain is pretty much a guarantee, and the person knows that, and when they get rained on, their customers get screwed. So you fine them for not having an umbrella.

An audit doesn't necessarily need to be done the way it has before. It could even just be a bug bounty hackathon, like the big browsers do.

If whitehats had a ton of easy-to-find work to do, there'd probably also be fewer blackhats.

It seems you missed the "(...) if the security was lax" part.

The only thing that will do is kill a ton of small time websites.

Are you familiar with Sarbanes-Oxley? It only applies to publicly-traded companies. It hasn't killed any of them yet, unless of course they were actually committing fraud.

If security audits were to become mandatory, they would only apply to companies of a certain size.