That sounds like a perspective from deep in the trenches. A software system has SO many parts, spanning your code, other people’s code, open source software, hardware appliances, SaaS tools, office software, email servers, and also humans reachable via social engineering. If someone makes a project manager click a link leading to a fake Jira login, and the attacker uses the credentials to issue a Jira access token, and uses that to impersonate the manager to create an innocuous ticket, and a low-tier developer introduces a subtle change in functionality that opens up a hole… then you have an insecure system.

This story spans a lot of different concerns, only few of which are related to coding skills. Building secure software means defending in breadth, always, not fucking up once, against an armada of bots and creative hackers that only need to get lucky once.