Isn't security is under one of those "things you can fix later"...
The problem is that the saying is: make it work, make it good, make it fast. Most programmers stop after the first step. "Make it secure" is not even an afterthought, and generally you only think about it after being bitten.
To be honest, "make it work" can be hard in itself. How do I justify spending four hours to add an issue and fifty to go through the other steps? I can imagine telling my boss "oh yeah, I added the feature two days ago, then I cleaned up the design, now I'm optimizing it and then I'll think of ways in which it can be exploited".
The problem is that the saying is: make it work, make it good, make it fast. Most programmers stop after the first step. "Make it secure" is not even an afterthought, and generally you only think about it after being bitten.
To be honest, "make it work" can be hard in itself. How do I justify spending four hours to add an issue and fifty to go through the other steps? I can imagine telling my boss "oh yeah, I added the feature two days ago, then I cleaned up the design, now I'm optimizing it and then I'll think of ways in which it can be exploited".