**As always on the TS/SCI blog, the comments is where the "real hotness" is and you should make sure you read them with each post.
Also check out this thread on Jeremiah Grossman's blog:
While I don't always agree with Dre, I have to admit that before I would drop $110k + yearly maintenance, I might have to crunch the numbers to see how much it would cost me for a real thorough web application code rewrite/review/& pentest before you get stuck with yet another appliance in the rack that you have to pay money for every year and I have to pay someone to run.
I'm not a SDLC guy but are we really to the point that we CANT write a secure web application for any amount of money? I would hope that isnt the case.
Read the posts. Dre and Marcin put it better than I ever will.