In our modern age, security is a feature. You can sell it. If you get caught without it your brand and your customers can be hurt. So, why are there so many insecure websites, web applications, and web services? If product managers and product owners had security in mind as a feature would we be in such a sad state of affairs?
Just look at the last short period of time. Social engineering and research were used to get into celebrity data, Home Depot became the latest major retailer in a long line to have credit and debit card information stolen, and HealthCare.gov was even breached. This isn't just for the large and visible. I'm aware of many small sites and applications who've been hacked.