Very good points, I agree. He could also be a great software developer and still be not good with security; I've worked with a ton of them.