Blame to go round
there is plenty of blame for the current situation, and it can be flung at all levels.
The issue is how to fix it and it needs a multi-threaded response
Education: Teach people secure coding, stop them from writing insecure stuff in the first place.
(don't tell me this is done already OWASPtop10 hasn't materially changed in a decade)
Enablement: Allow time to properly write secure code, don't allow it past checkpoints if it isn't secure, tested and documented.
Enforcement: make companies criminally and financially responsible for anything that is lost by exploiting their insecure code.