Not one organization I have ever worked for has seriously cared about IT security.
When it comes to rolling out new products, ignoring security is the norm.
This is because the "window of opportunity" is only "open" for a short time - until the first, second, and maybe third movers go through it and grab most of the potential customers. Companies that spent the time to get the security right arrive at the window after it closes.
This happens anywhere the customers don't test for and reject non-secure versions of the "new shiny" - which means enterprises sometimes hold suppliers' feet to the fire (if the new thing doesn't give them an advantage commensurate with, or perceived as outweighing, the risk) but consumer stuff goes out wide open.
Then, if you're lucky and the supplier is clueful, they retrofit SOME security before the bad guys exploit enough holes to kill them.
I expect this will continue until several big-name tech companies get an effective corporate death penalty in response to the damages their customer base took from their security failings. Then the financial types will start including having a good, and improving with time, security story (no doubt called "best practices") among their check boxes for funding.