Do you really care about security?
A $25,000-scale project is ordered by a large multinational corporation. They claim they should be and are secure, since security is crucial for them. Ask them how much of the budget of the project is allocated to security. They won't answer, because they can't.
The importance of an aspect of a project is usually determined by the investment. If half of the money of a web application goes to UX, the overall experience has all reasons to be good, unless, of course, there is waste of money somewhere. No money for UX means no designers, which means that the interface is done by developers themselves. Result: unusable (including by developers themselves) app.
When the only mention of security is made during meetings under the form: “We should care about security”, or under the form of different people who have no experience in security inventing ways to overly complicate the architecture of the application, security is obviously not a priority.
There are at least three ways to break the current app. One doesn't do anything dangerous. One may break SMTP servers of the company. One allows accessing any customer ID as well as their complete credit card information. Really.
They claim that security matters for them, and at the same time the product is developed under tight schedules, with no testing, no CI and “no time for refactoring”.
If security matters, those three points shouldn't evaluate to zero:
Money dedicated to security,
Security-aware persons in the team,
Man-hours dedicated to security.
When those three are equal to zero, don't claim that security is an important aspect of the project. Instead, change something to actually show it.