I think you're right, and it's not just security. Nearly any every other application vertical (accessibility, performance, localization, etc.) faces the same struggle compared to adding features. If the org doesn't care about it it doesn't get done. Whoever does do this kind of work needs to think very carefully about how to get their influence to scale.