To be fair, plenty of "regular devs" skip the first part 2, and then try to find away to shoehorn security after the fact. Source: over a decade working in embedded software in a corporate environment.