One thing that always bugged me about the criticism of the Diaspora release was that people criticize it like it is production software when they clearly stated it was a "pre-alpha developer preview". Who cares if they didn't have security checks? They could have been just waiting till later to add them all in.
I know when I build I like getting the scaffold/mvp up as quickly as possible ignoring security because hey, this thing isn't out in the wild, and do my due diligence on security after I am happy with the prototype.
It was getting deployed as a production service in many places, so it was effectively "out in the wild". Labeling something a "pre-alpha developer preview" does not remove the responsibility of protecting users' data.
I think of this as similar to error handling/reporting. If you don't build in a mechanism from the beginning, it's going to be so much more difficult to do it later.
I know when I build I like getting the scaffold/mvp up as quickly as possible ignoring security because hey, this thing isn't out in the wild, and do my due diligence on security after I am happy with the prototype.