Why do the Vast Majority of Applications Still Not Undergo Security Testing?