> they usually have little authority regarding business decisions.

Sorry I didn't fully explain my thought. I agree with this. I don't think it's just developers that have a "developers vs business" mindset. The C-suite does also. In most companies, they look at the engineering org as a tool to be used and not as a partner in the business. The result being negligent behavior toward things like security.