Developers are expected to deliver features in the first place. They often have no allocated time for security checks. Also, most security issues will never get discovered. And what if it gets found? Then you get time (or money) to fix that. In many cases, it doesn't work the other way around; developers do not get time to fix unknown issues. Therefore, it is not in their interest to deliver secure products. However, I expect that 80% of the XSS and SQLi vulnerabilities won't exist if developers are security-aware and willing to deliver secure products. The tools that help mitigate this problem are the tools that the security officer knows already. Think pen testing and other tools that retroactively search for flaws. These tools are great, but proactively preventing vulnerabilities is likely more effective than retroactively searching for them. A real solution to this problem must bring developers joy and meaningfulness so that they have a reason to prevent vulnerabilities in the first place. In my opinion, that is the task of the security team, instead of being the policeman playing cat and mouse games.