Take a broader view of what "building secure systems" means. It's not just about the code being written by ICs but about the business incentives, tech choices of leadership, the individual ways execs are rewarded, legacy realities, interactions with other companies, and a million other things. Our institutions are a complex result of all of these forces. Taken as a whole, and looking at the empirical evidence of companies and agencies frequently leaking data, the conclusion "we cannot build secure systems" is well founded.

This is accurate. Especially in shops that implement firm shipping dates for Product Increments. You have X weeks to build Y features consisting of Z tickets. At the end of those X weeks you better have all your tickets done. So more often than not, the tickets are done and the features are implemented. Shops like this build incredible ticket closing machines. They are implemented to pass user acceptance testing not to hold back hackers or bad actors. When leadership incentivizes delivering features and a developers job or raise depends on delivering those features, you get what you incentivize.