I would argue the first statement you made about security being the second thing to worry about. Let me say that for you, I am pretty comfortable you take security seriously.  So my next comment is assuredly not about you, and probably not most of the people that frequent this site. It is simply about human nature, and the industry as a whole, and mostly about bad management.

Security should be our first concern.  Treating it as a lower priority, even if it only follows data integrity, ends up being an excuse for a lot of people to ignore security altogether. "I didn't have time, I had to work on (insert whatever inane excuse you like here)." How often do we hear that people simply didn't have time or resources to work on security? I believe that is probably the number one excuse behind every failure. The number two excuse is to blame the people breaking in, and third is probably blaming Microsoft.  My view is we should look at ourselves first. Did we really do everything we could do?

Yes, sometimes the powers that be set artificial limits on us. Therefore, if we start with security first, it is part of what we build. We don't have to get approval to add it later.  I know the numbers will vary, but my guess is that adding security on top of a complete project might double the amount of time to delivery, while adding it in from the start might add 5-10%.  Regardless, it is always quicker to build it in from the start. Safer too.