I was chatting to a techie from SalesForce.com a couple of evenings ago and questioning him about the processes in place for ensuring the security of applications posted on their AppExchange. It's a pretty comprehensive process and one that might be useful to adapt for your own development work. The questionnaires used in the assessment process are available online here and well worth a look.
The associated spreadsheets are comprehensive enough although I will level a couple of criticisms: they look sloppy in the way they are presented and are not easy to follow. I'd also apply weightings to the various sections and use the questions responses to calculate a risk score based on the risk profile of the application in question (similar to the process used within my own organisation). For instance, for some applications, some questions might be more necessary to answer yes to than others. Because the assessment is going to potentially be used against thousands of applications, some benchmarking and scoring system could be useful - both to SFDC and to the developer.
Perhaps then SFDC could keep a league table based on assessment scores. Just a thought...