I've been doing application development, database development, and DBA work since 1986. In my experience, developers learn about the importance of good security over time and eventually learn that their "custom method" is not better than any standard. I think the problem with convincing developers they can't manage identity better is more a matter of education and experience. Sending them to classes on security early on in their career will help them learn sooner that the "custom method" is usually just smoke and mirrors or security by obscurity rather than real security.

I also totally agree with Iulian that management should be making security decisions not developers. But the decisions must be based on education/knowledge and experience. So if management is not knowledgable in security matters then they need to be sure their security decisions are based on recommendations from people who do have the knowledge and experience. Not on the recommendations of a new developer who doesn't know any better.

New unexperienced management + New unexperienced developer = All the headlines we read about security breaches.