Security? We don't need no security!
Imagine you're the CEO of a Web 2.0 startup working on the Next Big Thing. Your product is ready for release, but you have the choice of paying a security team a lot of money to spend 3 months kicking the tyres to find (most of) the security holes. You're going to pay the money and hold off aren't you, since security is "Job #1"? Yeah, right!
Users can't see security - except when it gets in the way or (ultimately) when it fails. And first to market trumps other concerns.
Wrapping insecure code with endless layers of sticking-plaster patches doesn't work and only introduces more holes. The only way to get a truly secure product is to design security in from the ground up. But that's tough to do, adds costs, diminishes the user experience and (worst of all) delays development. And that's why we have insecure software and (until something changes fundamentally) always will have.