We have to start by teaching new programmers how to make secure systems first (and I repeat, systems, not just programs) and just then how to program.
This theory can be applied to so many things when it comes to programming and designing. Many web applications are designed by designers, and security is never a consideration. Security awareness is increasing though, but it will take time to spread this knowledge through the industry.
Getting the job done is no excuse for not following the rules. Corollary: Following the rules will not get the job done.