I'd say security failure is partly due to incentive alignment failure for developers.
Bad security design is a problem that's going to bite, but usually a little later, after version 1 is out the door and everyone's paid.
Not meeting the pretty much arbitrary and insanely optimistic delivery schedule is going to bite developers right now.
Corners will be cut, even if some of the developers know what SHOULD be done.
In general, almost every architectural aspect of software, including security, (well-factoredness, maintainabilty, scalability, extensiblity, low-coupling, you name it) is hidden, except to a few experts who aren't usually those in decision-making roles. That's why so much software delivered is a Potemkin village.