This has nothing to do with testing. This is a lack of training.
I would say they need to 'think like an attacker' at least some of the time. But this is still too high of a bar.
I think this is really a problem of rewarding people when they finish things. One way or the other. It works, so on to the next project...
> This has nothing to do with testing.
A good QA can catch/test such security issues although most of such work is given to a dedicated pen tester to find weakness in the platform.
As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.
Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).