Security has to be baked into the infrastructure and development process rather than sprinkled on top of a deliverable like spice. For example, servers and databases in development should be provisioned by the DBA with default security in place, and developer should not have privilege to alter security settings or add logins without a change request. If the application and database objects are developed within those constraints, then the developers will soon learn what's "normal", how to code within the box, and the deliverable will deploy to production without issue.
Great statement "Security has to be baked into the infrastructure and development process rather than sprinkled on top of a deliverable like spice. "
Yes, that one sentence is dead right. It's the only thing in that post that is right, the rest is pure rubbish.