At issue isn't the value of improving software development processes to incorporate security throughout the development life cycle. What's at issue is whether or not Microsoft's SDL has improved the security of its software when it's shipped at GA. I certainly believe it has come a long way since this day (link), and that Microsoft is using public vulnerability discovery counts as its measurement of success.
Lindstrom makes a number of points, some are dubious, others are worth consideration as to why the number of publicly discovered vulnerabilities is on the wane. And not all of these have anything to do with an improvement in development: