Frankly, security should not be the top priority of a small startup, unless you deal with extremely sensitive data. I'm not sure it should make the top five. Off the top of my head, survival, product dev, growth, hiring and infra are all more important if you're just starting out
There are certain things that are very difficult to implement if you skip them at launch. For example, encryption of 3rd-party secrets. CircleCI is a good example of a successful company burning themselves badly by treating encryption as an afterthought.
