This seems to be a recurring theme, lately. I'm one of a team of dozens working on a large project and we have a handful of "security professionals" assigned to the team. We have just finished writing a design document and the security section is just huge; directly proportional to the number of people working on it. Anyhow, a bit of stage setting is necessary. I'm participating in a conference call, we have webex running and a collaborative whiteboard plus document sharing.
Me: "This is a big section on security but, it's not complete."
Security Professional: "Oh, what's missing?"
Me: "Software security."
Security Professional: "What do you mean, there's a whole section on how to configure each part of the software stack!"
Me: "No, I meant the software itself, especially the custom software that will need to be developed."
Security Professional: "As long as it's configured properly ... blah blah blah"
I cut/paste a snippet of code for a SQL injection attack onto the whiteboard.
Me: "How do you detect and prevent this?"
Security Professional: "What's that?"
Me: "Code for a SQL injection attack."
Security Professional: "Oh, I don't know anything about that type of security."
Me: "Security isn't a black box."
After that, I let the silence speak for itself. I recommended that as a start, they visit John Viega's outstanding contribution to the security community and re-visit their section of the document.