I think alot of what is taught in schools comes from teaching to the lowest common denominator.
I participate on an advisory board every year at the local community college where I also teach part time. This year I came across something interesting. We basically ran into two schools of thought:
1) teach basic classes to get the high school kids up and running with computer and programming classes and on to a good 4 year or jr. programming job.
2) teach really cool, but very advanced classes on security (mostly network though), knowing that we're going to be catering to businesses out there educating their employees though our certificate programs.
Obviously, teaching "Hello World" isn't as sexy or fun as an advanced class on securing a Linux firewall, so competent teachers want to have the "fun" courses. Ultimately, schools must make money though, or they can't pay us teachers, so the fresh meat get
the basic programming classes, not exciting at all, mostly because it is a struggle to fill these student's heads with good programming practices and we spend a large portion of time just with flow control and the concepts of OOP.
That leaves the middle ground, a sort of no man's land. At what point is it appropriate to introduce a programmer to security concepts? Before or after they learn what a switch statement is? Before or after they learn to connect to a database?
Also, look at the job postings today, people are asking for things like a year of C#, 5 years RDMS, 3 years OOP. I have very rarely seen a request for something like "1 year secure programming experience"