While some of what you say is true, there are a minority of developers who are eager to show they know security better then me, and will spend weeks arguing about that they don't need to add the s after http because "we have a firewall!", or arguing that they don't need to patch a library because the execution path isn't one they use (sure, but forever, and what happens when one of the banks who run our software run a scanner tool against it, HONESTLY it's easier just to patch it then to lose deals because a customer sees a CVE of 10.0 and runs for the hills.).
And yes, I know there are some checkbox compliance folks out there, but sometimes that is important, when you're selling to industries with checkbox compliance folks.
Min