Developers don't care about security because the business pays them and the business only cares about output.<p>Sure, the security budget is defined, but they typically leverage a developer ad an ASC to do most of the work as an above-and-beyond effort while paying them the same amount.<p>That's been my experience.