Which "industry" are you referring to? If you mean "line of business Java applications at huge insurance companies", you're right. If you mean "startups where software development is a profit center", I think you're pretty wrong: OWASP might be years behind the state of the art of modern software development.
I mean the whole software development industry, and arguably developers working worldwide on "line of business Java applications at huge insurance companies" and the like far outnumber the developers in "startups where software development is a profit center".
And even in greenfield development in new companies you still routinely see things like simple SQL injections or hardware with hardcoded trivial credentials. The future is already here, but it's not evenly distributed, and lots of new things are still made with very not-modern development practices - it's not only about legacy code, there's lots of new sloppy insecure stuff being written every day.
Respectfully, OWASP ASVS (See >4.0.1)and the Web Testing Guide are pretty current.
Most people haven’t read either front to back and for the most part make assumptions as to their purposes. Devs are the first to nitpick it and security practitioners for the most part are always a negative bunch :D
BUT....
If you are in a regulated industry like finance, insurance or healthcare, it doesn’t matter whether you’re at a startup or a stodgy Fortune 500 company.
At the point at which your organization starts caring about security which is usually “client contract language” or “audits,” the flagship OWASP programs are killer tools with which you’ll use to craft a secure software development lifecycle that touches everything from sprint planning to feature reviews and penetration testing.
Sorry, I just reviewed ASVS 4.0.2 and it's as OWASP as ever. It's super high-level. There are whole sections where it's clear the authors don't have subject matter expertise (cryptography, which has its own section with several bullets, has essentially no bullets on how to actually evaluate cryptography). Super-important attack patterns, like SSRF and deserialization, are condensed down to single bullets that amount to "don't have SSRF". There are idiosyncratic attacks, presumably the pet projects of OWASP authors, for which Google searches bring up ASVS as the only real cite. There are idiosyncratic defenses; some busybody has managed to get OWASP to demand secret-salt password hashes. Everything is indexed to CWE, further evidence of consulting infection. There's some good stuff on 2FA, but nothing meaningful at all about SAML (which has been ripping holes in major platforms for the past 5 years) or OAuth, which has been rolling new protocol variants to combat flaws for basically its whole existence.
I stand by what I said before. OWASP can be useful in consulting settings as a communication tool. It's not a good reference.
