Missing the Basics
NIST publication "SP 800-218, Secure Software Development Framework" (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf) has a lot of bureaucratic-buzzword-speak, but also has some good things. For example, "Task PO.2.3 Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities."
Speaking for myself, a portion of that commitment (if it is true commitment and not just lip service) must include the needed time, people, and equipment to do the job properly. If the managers choose not to commit to secure development, the devs or lower-level managers can't force them to do so. Are the devs or lower-level managers then to be blamed for "failing" to execute task PO.2.3?
As long as companies and their managers allow artificial deadlines to be imposed without consideration of the resources needed to do the job properly, security bugs will be introduced and/or not fixed.
That's particularly true when the artificial deadline is imposed by the government, with penalties for failure to ship on time. Of course the company will ship something by the deadline, and if security bugs are found in that product, the company will say, "Oh, gee, we're sorry."