In my experience it's fairly difficult to squeeze any sort of good coding practice out of most developers. They have deadlines, code quality be damned.

As Steve pointed out Security and error handling are significant culprits, but there are others that are less visible, and i think perhaps more common: poor/lack of naming conventions, spaghetti code, useless/missing comments, orphaned functions, etc.

I can't think what else might belong on that list but i'm sure there's something.

We can hope that the NSA list will be used as a benchmark for adequately secure code, but the chances of it being used widely are, i think, quite small.