Because the importance of security isn't respected until it's too late. At any medium to large company in your team's planning process you always need to justify the business or customer impact (even on infra teams). And security related efforts are much harder to sell because the impact is a "what if" and not $$ saved, products being easier/faster to develop, or customers benefiting in some way.
Also basic security knowledge isn't screened for in hiring nor is it really taught in most orgs (aside from trainings that people skip or optional stuff).
Also basic security knowledge isn't screened for in hiring nor is it really taught in most orgs (aside from trainings that people skip or optional stuff).