I've been watching the various articles and reports on the new Healthcare.gov website in the US. There have been a number of problems with the site and it's been somewhat amusing to see the various politicians and pundits complaining about the site. I've seen quotes that say Facebook and Google wouldn't have had these issues. I've heard various friends tell me the issues wouldn't happen in a private company.

It's amusing to me as a tech guy. I've seen numerous outages and issues from Facebook, Google, Microsoft, and more. I've seen them have downtime, security holes, outages, and problems with deployment of new code to existing sites. We've even had embarrassing "security certificate expiration" events from large companies. Any large scale site will have issues. None of the high tech companies would want to, or even likely be successful at, releasing a 1.0 version of a site to millions of users. We've seen numerous scale failures in the past from various companies, often because they never tested at scale. However many of these companies have improved their architectures and infrastructures over time, learning as they go. 

I don't know if the healthcare.gov site can be improved in a timely manner, even given the "tech surge" that is taking place. Many of us have learned from experience that adding more programmers to a project doesn't necessarily get things done faster. Instead, I would bet most programmers would appreciate having more resources for testing and architecture up front when the important decisions are made.

The most glaring example of this in the healthcare.gov site is shown in the security issues uncovered recently. The site received  provisional security approval and a large scale security test of the entire system wasn't performed. To me, that's inexcusable. There's no reason to skip security testing of any large scale application that deals with PII data, no matter whether it's public or private site.