They aren't joking. How? Because they went out of their way to hire very good appsec people to build their team. There's a geography and right-place right-time element to what they did, too.
They're a pretty good case study for how the right senior hires at the right time can set the tone for a security organization for many years after those people leave.
Etsy is a weird case. I'd never, ever have thought there's so many such good people in a company that initially seemed to me to be a random eBay-like store for selling trinkets. And yet, it turns out they have serious talent and post a lot of very interesting tech stuff.
They had (have?) a security team entirely larger and more competent than I'd expect (or, honestly, really choose to seek to have) in an org their size. I think they were just lucky to get a couple great people early on and doubled down.
They're a pretty good case study for how the right senior hires at the right time can set the tone for a security organization for many years after those people leave.