It will look better for the project lead if there's an issue though. You can say that you enabled everything recommended by Google or w/e, following best practices, and still got pwned instead of arguing that your own security model had a tiny little flaw that no one recognized. And it frees up project hours which can either be the difference between doing the project or not doing it and/or allow you to have other project work billed to this project.
That's definitely a thing in the corporate world. It doesn't even have to be the project lead, sometimes it comes via stakeholders, some times its even well meaning devs. It is a difficult balance to strike if you want to "only be reasonably safe" whereas cargo culting all security features might take a bit of time but you now can say "hey we did everything"
[]: everything may very well not be a thing but people like to pretend it is