Several places I have worked for scoffed at security, or any other need not immediately visible to management. Many times I have written a requirements document for code based on the requirements document I was given that included performance and security elements that would have added between 2 and ten percent to the project and saved on the need for several servers(admin time and server cost) or would have closed up several security holes (priceless?) only to have the issues scratched from the immediate to-do list and added to the post-installation list. In most cases the performance items were driven back to us within a week of install (black eye) by which time we had those issues dealt with and were ready for more testing for a fast install.

We could have waited a week and installed without issue (smaller black eye), but our immediate management wanted to impress upper management by holding to their insane development time frames. We were almost never asked to do anything security related once the product was in.

The rule I have learned is if they can not see it, they do not care. Typical clueless mindset. We don't need a firesystem until we have a fire. Then its too late.