That all depends. After enough time passes where otherwise smart programmers are caught with a stupid security bug in their code some of them will start moving towards using languages that take care of this problem for them. Memory management was once the same way: we all "knew what we were doing" and ended up getting screwed because we were not as smart as we thought, then languages started showing up that took care of the issue for us.

I am more certain that capability-secure languages will become mainstream within the next decade than I am for a capability-secure OS. ACLs and discrete partitioning of security via virtualization are half-asses solutions that, like threads, will end up getting overwhelmed by the complexity of making things work in large-scale distributed systems. Capabilities offer a solution that is known to work, and eventually most programming languages will incorporate them into the mix. The only question is how long will it take and how deep the capability-semantics will run.