I think it is a case of the feat that responsibility = blame. With very few exceptions the developers I have worked with have taken security very seriously but have been hampered by lack of knowledge.

Like most subjects you can read up on basic things such as preventing SQL Injection Attacks and Least Privilege Permissions but going beyond that what do you do?

Do the non-technical parts of your company realise that it takes time to design a robust system?

Do they realise that they have a very big role to play in helping with security?

Security, like quality has to be part of the DNA of your internal systems. Everyone is responsible.

There also needs to be a clear chain of command so if a hole is found everyone knows who to escalate it to in order to get it fixed.