I agree with stcredzero. You need some standards if you're going to put yourself out there as a security company. I'm a random chick with some web programming and I know that you should iterative hash or salt your hashes. I also know you shouldn't use the same passwords, and what sql injections attacks are. Hey, maybe I should start a security company!
It's more of an issue with, "do they practice what they preach?" "Do they eat their own cooking?"
When people at a company don't do this, it's often a symptom. A friend of my girlfriend worked at an AT&T store. She could've gotten a huge discount on AT&T mobile? Her answer: no thanks.
If it's ever possible for me to hire a security firm that has higher standards than this, I'm going to do that!