I spent less time reading about vulnerability research and QA control mechanisms, but the current implementation at XYZ corp. has spiked my interest back in this area. The vulnerabilities market for security experts is not as lucrative as it used to be but I suspect this will have its own economic shift cycles as information and services of organizations move more into the cloud and SAAS based environments.
Currently there remains a lack of information awareness and a gap (along with a huge divide) among the IT professionals within small and medium scaled organizations (non-profit & for-profit). And more importantly vulnerability research being a part of the CIO's responsibilities and policy making functions; my recommendation here is that information technology directors and CIO actively create policies and conduct periodic penetration and vulnerability testing on all their IT infrastructure systems internal and the ones that they stick in the cloud or out-source, these include but not limited to sql injection tests, malware checking and reporting, social engineering hacks, reverse-engineering of services and products, mobile management of BYOD as wells company supplied and routine network testings.
Create policies that aim for zero-day vulnerabilities in such a way that annually (or every two years) an IT auditing firm's view point is gathered and incorporated in the discussions of strategic planning with senior management.