It's not only "internal". There isn't really a functioning market for "middleware" in much of software, creative areas excluded. I don't really believe that managers, users or anyone else is primarily responsible. At the end of the day most developers aren't very good at security and they aren't necessarily willing to pay for it either.