(no title)

Hacking is much more profitable than preventing hacking.

Incentives are heavily biased towards security exploits on all levels.

End of story.

There's no reward for "your code never got hacked". There's a reward for delivering a feature in time and a penalty for not doing so.

You'll get a bonus or promotion for delivering features. If you take twice as long because you made your code really secure - no one will know.

I think that's really all there is to it. Security is obscure and complicated.