That's all fine and good if you only take companies and security consultants into account, but I'm not sure it's 100% analogous. What about random hypothetical geeky teenager who wants to contribute security patches to an open source project? I don't think there's a lockpick equivalent to that.
There is an analogy: Locksporting. Groups like Toool and individuals across the world pick and design locks as a hobby, and have shown flaws in high-security designs like Medeco that were later corrected.
