I work in AppSec for a Very Large Company. I've worked in large companies before. These are not new trends. We have programmers who do F# and other functional programming. I would think the bigger inhibitor to functional programming is that most of the existing apps are Java or .Net so unless you are building a brand new team, you reuse the skills and technology you already have working for you.
Our devs use plenty of small open source projects. We [Security] like to recommend software that we are comfortable with, but any determination of "stacks" we leave to the actual software engineering teams. If something is pretty bad, not updated, constantly having problems, etc - we might ban it... but what's your case for using poorly engineer software given alternatives?
Not sure if mom and pop is supposed to mean commercial, but not OSS? OSS we can patch and modify if necessary. We can even PR patches back based on what our "scanners" and manual testing find.
Generally, we don't care about language, most issues are in implementation not the language, and less so in more modern languages where the creators have heard about security.
The basic type of code scanning needed for PCI and other compliance is a commodity offering and is manageable cost compared to marketing and relationship management costs needed to pursue big clients.
I am not sure the OP understands what a SOC2 report says/does. It talks about pretty high level controls and practices. You certify an app/service, not a stack. If you scan and fix your bugs and have a proactive security training, it doesn't care about how you do it. There is no golden stack that will help you pass a SOC2. You may be able to make your life easier with certain services/SaaS, but the issues come up in your practices and in the actual code implemented. If you have bugs in procedural or functional programming, its the same problem from this perspective.
Vendor due diligence? Some companies have their own questions, there are also agreed standards for these that some companies opt into. I am not sure why a big company should risk their bottom line on something unproven or that isn't ready for prime-time. It's like getting an inspection when you buy a house. In the same way, your org can improve and make improvements. This is no different then adding in features some customer wants in order to win your business.
I don't understand the ultimate point, people who build functional apps shouldn't have to care about security? It's just another non-functional requirement that helps you win a broad audience. It's the same argument that says government should regulate this or that, that financial advisers shouldn't need to act as fiduciaries. It's the cost of doing business.
Maybe the OP has some weird experiences where auditors jumped on functional programming as an issue to justify not doing more work or make their lives easier, but I don't think this is something that is a commonly held belief across audit and security (if people even know what functional programming is).
I think a good parallel is OWASP for web app security. The content is free and open for the internet. OWASP doesn't directly focus on curating the content and it is left up to the community. The content grows old and stale, errors do not get corrected, and the writing is often what I would call draft quality even when its published.
There are always a lot more consumers than creators of content on any platform. Most people going to use a resource are not the same who can write about it, not everyone on YouTube has something to share or make a video. And why give it away for free when you can make a paid course, give a talk, charge consulting fees, sell a solution to a problem?
You need to align incentives. Again, why contribute to something and possibly deal with the pain of moderation for free (costs instead of gain). Should we blindly trust the wisdom of the crowds? The other cost of free, is that the community may not be capable or not interested in sufficient moderation - this leads to low quality content which chases people away, even if there is good content right next to it.
OWASP's incentives and objectives have never been 100% clear to me. There are some big security players involved, but it seems more interested in research, community, grants, etc versus content. When you look at MDN, Mozilla has a clear incentive to document these things so developers build more "standard" vs "Chrome-focused" web apps, which helps keep users on FireFox since all of their favorite sites are less likely to break without FireFox simply copying decision made by Chrome. By documenting expected action and quirks, it forces Google et al. to try to move back towards agreed upon standards.
In security, I am generally more reliant upon vendor write ups and content from people with a reputation. Security has a much smaller population than web dev. Also, for web dev a lot of people pick it up and feel comfortable writing publicly even when they are just starting out (See Dev.To). I am not sure if companies pump millions of dollars into commercial web tools beyond graphics and CMS type stuff, so I wonder if a more decentralized collection of guidance is practical for the web, not to mention that there is a lot of nuance between browsers and even recent versions.
In addition to recording, you may want to make some stills for download or for custom formatting, highlighting, etc. You can use Carbon - https://carbon.now.sh/ - which will do some auto formatting, but allow you to override. This is a bit better than just screen-shooting the IDE.
You may not want to just make one big long video - its hard to follow and then find specific key points in time. Unless you are showing a lot of interactive things and just input/output, copy and paste-able code is going to be easier for students to see and adopt. You may want more of a long tutorial document with small videos where it makes sense or you want to show something interactive.
In addition, its a lot more editing if you want something good without mistakes, etc (there are a lot of videos from big name schools online where professors do not correct themselves and just post the single unedited take). I would actually use video selectively. If you want students to easily run something you may want to utilize one of the many only IDEs that can execute code.
Depending on the tools available from your school or what you can find online you can make something very useful and interactive or you could try to use something like https://www.adaptlearning.org/
Our devs use plenty of small open source projects. We [Security] like to recommend software that we are comfortable with, but any determination of "stacks" we leave to the actual software engineering teams. If something is pretty bad, not updated, constantly having problems, etc - we might ban it... but what's your case for using poorly engineer software given alternatives?
Not sure if mom and pop is supposed to mean commercial, but not OSS? OSS we can patch and modify if necessary. We can even PR patches back based on what our "scanners" and manual testing find.
Generally, we don't care about language, most issues are in implementation not the language, and less so in more modern languages where the creators have heard about security.
The basic type of code scanning needed for PCI and other compliance is a commodity offering and is manageable cost compared to marketing and relationship management costs needed to pursue big clients.
I am not sure the OP understands what a SOC2 report says/does. It talks about pretty high level controls and practices. You certify an app/service, not a stack. If you scan and fix your bugs and have a proactive security training, it doesn't care about how you do it. There is no golden stack that will help you pass a SOC2. You may be able to make your life easier with certain services/SaaS, but the issues come up in your practices and in the actual code implemented. If you have bugs in procedural or functional programming, its the same problem from this perspective.
Vendor due diligence? Some companies have their own questions, there are also agreed standards for these that some companies opt into. I am not sure why a big company should risk their bottom line on something unproven or that isn't ready for prime-time. It's like getting an inspection when you buy a house. In the same way, your org can improve and make improvements. This is no different then adding in features some customer wants in order to win your business.
I don't understand the ultimate point, people who build functional apps shouldn't have to care about security? It's just another non-functional requirement that helps you win a broad audience. It's the same argument that says government should regulate this or that, that financial advisers shouldn't need to act as fiduciaries. It's the cost of doing business.
Maybe the OP has some weird experiences where auditors jumped on functional programming as an issue to justify not doing more work or make their lives easier, but I don't think this is something that is a commonly held belief across audit and security (if people even know what functional programming is).