"We are paying for the sins of the past" is the truth, but it's not because code is "old".

There was enough clue back in 1995 to predict that breaking safety expectations (data that runs as code, web sites that program the visitor's PC) was an Extremely Bad Idea. That this clue failed to prevail in Microsoft's designs of the time says nothing about 1995-era code, but a great deal about Microsoft.

Concerns remain on whether Microsoft has finally "got it"; the only thing that might dispell such concerns would be a frank admission of past clue-failure and a promise to wise up.

That's probably too much to expect, given the possible legal implications. I do see Microsoft catching up with clue needed to avoid yesterday's mistakes (to a large extent, XP SP2 is an embodiment of that clue). What I don't see is a carry-over of a needed "meta-level" awareness to new designs, as built into future products.

By now, I'd have hoped we'd have learned that any code can turn out to contain exploitable defects, and therefore one should not "grope content" ahead of the user's clearly stated intention to "open" such content. Yet the trend is towards more background services and more persistent handlers that grope content the user merely wants listed, or even left alone entirely.

I predict this will be to 2007 what the curse of Office macros was to 2000 or so.

New features, new mistakes.