Why would any rational manager prioritize security when those are the facts on the ground? It just represents money spent and agility lost, without a corresponding upside big enough to justify it. (Except for your ability to sleep at night.) The only way forward is for something to change that shifts the balance of incentives for all players towards security, rather than away from it.
My pet proposal to accomplish this is to create something along the lines of Underwriters Laboratories (https://en.wikipedia.org/wiki/UL_(safety_organization)). Have an independent third party that promulgates standards for security, and can certify products that comply with those standards as secure. Give that certification a fancy logo that the products can use in their marketing, to give customers a way to look for products that comply with the standards. Work with insurers so that companies that follow the standards are understood to be lower-risk than those that do not. Etc.
If I recall correctly, Bruce Schneier is a proponent of this idea.