I like some of the items there, but some are just a bit stretching it. I will first say that I did enjoy the post, and I've seen it in the past before, and I understand where he is coming from and respect that. :)

"Penetrate and Patch" would be a dumb idea, if all software and all people behind software were perfect and no code changes were made over time. Unfortunately that is not the case. Code changes, hence new bugs can crop up. Some old bugs long thought benign or not noticed later become vulnerabilities (jpeg-viewing legacy code in Windows, if I recall?). I get his point, but I wouldn't go to the extreme of bashing what is otherwise the slow hardening of software and the slow learning process of software developers learning from mistakes. Anyone in a large development shop can see how issues like these can help educate developers and thus churn out better code (hopefully).

"Hacking is Cool" is another slightly misrepresented term. As a security practioner, I actually better know how to break into many things, therefore I have a good idea what to defend and how to defend. If I don't know the enemy, I am defending against someblack phantom and I will get beaten, period. The Art of War mentions this in detail (as detailed as it gets, anyway), and penetration testers use this to evaluate systems and networks. I'm sorry, but the part about security practioners not needing this is a bit ignorant. And I don't think this will go away any time soon, since technology is only going to continue to penetrate more facets of our lives, especially at young ages. I do find this statement odd, as the author says he has developed firewall products in the past. If you don't know how to attack firewalls, how do you know how to build effective ones?

Educating our users is a good thing. When I stop hearing, "Oh, I didn't know that," and see my users actually learning and doing things different, I might believe this. But until then, I constantly see changed behaviors due to education on security in the workplace and in private life. Educating users would have worked by now if technology didn't change so rapidly and all users were moreorless equally educated.

"After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?"

I don't like this at all for similar reasons. This would be arguable if technology, speeds, knowledge, and numbers of systems were held at a constant. Instead, many more systems are online every year. Many more people are getting online. Virus writers and others are getting more sophisticated and automated. We have a much larger amount of monitoring and capturing of incidents now than we did 10 years ago (and thus of course we see more red flags). Saying that because more systems seem to be compromised now is thus a result of flawed conventional wisdom is simply a flawed conclusion.

I do want to say, since I didn't make it clear in my post, that I highly respect Marcus Ranum and mean him no disrespect, even if I do disagree with some of his points. :)