1. In general it costs just as much to develop code with poor performance as it does to develop fast code. The same can be said for security. If you have good templates, good guidelines you tend to develop better code. So I refute the argument of cost outlined in the reply above.

That said, I do agree that these best practises need to be gained from somewhere & implemented. Which typically means smart, motivated, up-to-date staff. These folks typically earn more.

2. I'd hesitate on the "Decoy" concept. It may work for fighter aircraft against an immediate threat. But it may also attract the attention of someone with a more effective weapon. Once they've hacked your honeypot, they are more educated & are now armed with scripts to automate their attacks against you or someone else in your industry.

3. If you really have the ability to detect a hack and track the offender back to the source. Then there is merit in offering a soft target which you can use as a ambush. But if all you know is "someone" tried/is trying to hack us. It may help to get budget for more security. OR it may just frustrate the business. ie: Which is most expensive? Knowing that someone is trying to hack your banks ATM network right now & maybe letting them steal money OR turning off all the Banks ATM's Nationwide for an indeterminate period of time & dealing with the customer dissatisfaction & negative PR that results. What manager wants to make that decision?