Ensuring the security of a product doesn't have as tangible bragging points as shipping new features. Failing the former is unlikely to be blamed on product, but achieving the latter will almost certainly be credited to them. Responsibility for an insecure endpoint or poorly configured service falls to the engineers, despite the managerial influences that will often lead engineers to cut corners on things like security in the first place.