We had Jeff Sutherland, co-creator of Scrum, at our company earlier this week to give a talk and promote a new book of his. When asked about changing culture, he reminded us of
Conway's Law and said, "You can't change culture. You can change structure. When you change structure, the culture cracks, then it reforms."
This made a lot of sense to me. If we look at current society as an example, how long has it taken for equal marriage rights to get to the level of acceptance it has now? You have to change individual attitudes and do that with enough individuals in a group to change the culture and that doesn't happen overnight. Organizational structure is something you
can change (although it's usually done with a different goal in mind, not to influence security-mindedness).
I've been pushing for developers in my group to adopt TDD but I haven't had the kind of impact I'd like. Change has been mostly with the folks I work with a lot. One of my group's focus is Security. Yet, we only recently got every project compliant with a requirement to not have any kind of application password (for DB access or service requests) in clear text in source or configuration files. Ironic, right? So, I guess policy can also put pressure on folks to do the right thing but I don't think it does a lot to change culture either.
We have a "Security Advocates" special interest group in our company and these are folks who, like you, try to get the
word out about security and promote secure development practices. Again, the impact the SIG has on security culture appears to be limited but I think that's just the nature of culture change: it's an evolution.
All you can do is keep fighting the good fight and keep pushing your agenda. Be that lone voice shouting in the desert if you have to be. Keep working to expand your circle of influence. Keep the pressure on and sooner or later, something has to give. When something cracks, you'll have made progress and you can start reforming.