What it is, exactly, that’s unique about security as a system requirement?
It's a negative requirement.
A secure system is basically a system that is incapable of doing things that are not specified.
Requirements to any system define a limited list on what the system shall do after implementation.
Execute functions, show values, read inputs, wrtite outputs, etc.
Checking correctness and completeness is easy: Just test if every defined function works, if every defined input creates the specified output.
Security requirements are in contrast an nearly indefinite, negative list of things a system must NOT do, e.g. everything that is not in the requirements.
Like multiple types of crashes, multiple ways of letting external calls modify internal states without authorization, misunderstand authorization of a request, do funny things on garbeled inputs, garbling outputs, etc.
Each of those things a system must not do in turn has multiple potential causes, that are pretty specific to program, context and architecture.
So completely checking security is a basically indefinite task, as is requires an indefinite amount of different inputs/actions to be executed and verified to not result in a failure.
Security _is_ hard.