Even if it was down to "a couple of software engineers"...
This would have to be attributable to unnecessary requirements, as if it was in the requirements it would be a project decision sanctioned by management.
If there are unnecessary requirements, then the project does not comply with ISO 26262, which would also make the problem a management failure.
The argument that it's down to rogue developers can only be supported if the software has been "hacked" without a proper development process being in place.