Then all the good developers leave. A series of decent people hire in, get frustrated and quit. After awhile you just have a core group of either incompetent or desperate people hanging on.
Management can ignore for a few years. Rebooting things isn't too hard.
But then the issues that could be ignored can't be anymore. Eventually you get sold for the intellectual property or customer base.
If a "good developer" doesn't want to deal with the overhead of security, then, frankly, I have to ask why they are a "good developer"?
Why does security and compliance frustrate "good developers"? Is it the extra steps required? Is it that it sometimes (often?) means that they don't get to work with bleeding edge/greenfield technology and feel left out?
This seems like the heart of the security issue, IMO. Sure, there are investors and managers who don't prioritize this work, and there are definitely concerns with the amount of investment it takes to accomplish ... but if a large majority of the engineering team were pushing for security and compliance as part of their normal routine in the same way they push for things like automation, would that solve some of other issues too?
Management can ignore for a few years. Rebooting things isn't too hard. But then the issues that could be ignored can't be anymore. Eventually you get sold for the intellectual property or customer base.