This is bit too far to put onus on devs for security and the comparison is more like apples to oranges with other regular licensed engineers. It hard to justify ROI on Security, if anything it makes it harder to roll out features with more traction.

In the absence of any fine, most companies are comfortable with bit of reputation damage.