This question was made by Martin McKeay during a Panel on RSA (Avoding the "Security Groundhog Day", hosted by Mike Rothman). I took a note at that moment because the answer came to me immediately:Half of the companies are not doing that because their customers don't ask for itThe other half uses Security as a Marketing feature, but only as that, i.e., they sell that their products/services are secure but they are not. Consumers don't know how to verify their claims.A good example of that are those "Hacker Proof" signs hosted by some online stores. Everyone that have already performed some kind of security assessment on a e-commerce environment know that a vulnerability scan (all you need to have one of those seals) is not enough to say that a website is "hacker proof".The question is, how to educate consumers on identifying which companies really protect their data. Or, are consumers really worried about that?