It should be, but a lot of developers don’t have formal security training, nor especially management which may end up selecting the contractors/developers and deciding on the technical approach.
If it’s explicitly not production ready, it should probably say so up front, not advertise itself as “strong encryption”. However painful that may be.
