[crosser]

Because of delayed gratification.

People are mostly motivated by gratification. You've written _functioning_ code - you can instantly see how it solves the problem at hand. You've written _beautiful_ code - you can stare in satisfaction at the negative total in `git diff --stat`.

You've written secure code - you reward comes in the form of nobody talking about your code for the next twenty years ;)

[captainbland]

More likely the reward is people complaining about how inconvenient the new security process is for the next 20 years. "Oh I have to rotate keys now..." "I liked it better when it told me my password was wrong outright" "entering an MFA token from my phone is annoying" etc.

[crosser]

Heh that may be true sometimes. Though in my perception, "writing secure code" is more about sanitizing input and preventing buffer overflows than about enforcing secure practices on the user...

[threatofrain]

Most developers don't get to choose development priorities. Their gratification comes from a salary which may or may not rise by unknown proportion based on deltas in performance. The "real" incentives behind company performance are generally not owned by developers to any emotionally substantive extent.