As someone who is pretty much an app sec engineer, I feel like this rings true.
Furthermore, part of me suspects that the tangible business risk of application security flaws isn't felt until after a breach, when its far too late to change things. Even then, sometimes the cost of a breach does not justify the expense of building a robust secure software development life-cycle.
That's a great point. Do you believe that the regularity of significant breaches has cheapened the reputational cost of having experienced such a breach? (Which, in turn, makes it less likely that "a robust secure software development life-cycle" will ever be built.)
I think its worse than cheapening the reputational cost, it has put a concrete ceiling on the financial cost - something like users affected * 2 years of free credit monitoring.
Furthermore, part of me suspects that the tangible business risk of application security flaws isn't felt until after a breach, when its far too late to change things. Even then, sometimes the cost of a breach does not justify the expense of building a robust secure software development life-cycle.