Building a cost-benefit model for application security testing

Is it possible to speak about application security testing in economic terms? My intuition and practice suggested that it's not only possible but necessary for security testing to really make sense.

I prepared the below presentation for Romanian Testing Community in Cluj, in March 2012. This is not a ready to use model — it's discussion of theoretical and practical challenges of building such a model.

What's the question that this model should help answering? For example, having thousand of very different security modules how should you plan and allocate testing resources to get most risk reduction for the money.