Microsoft has published another paper from the IT group describing some of their best practices and experiences. The download page links to a paper and a PowerPoint presentation. From the Lessons Learned section of the paper:
Microsoft IT's effort to inventory, assess, and, if necessary, fix security vulnerabilities that it discovers in its internal applications has proven to be successful. Microsoft IT has a much better grasp of the number and complexity of the applications that are used to run the company's day-to-day business. Any vulnerability discovered in one application was noted and searched for in other applications.
You can download the slides and the paper here:
Application Security Best Practices at Microsoft