As someone who has been a SWE, PM, and VC in the cybersecurity space and constantly meets with CISOs as well as has formerly been a security practitioner (I should get back to using HackerOne again for fun), I can safely say that the overwhelming majority of security incidents are due to some form of misconfig because development and code review are orthogonal to proactive security checks.

Shift-left was supposed to fix that but it failed because the primary persona to sell ended up becoming the CISO again, and not trying to find a way to make security ownership a Dev and QA responsibility as well (this is largely organizational).