> had such a small security team of just 6 engineers

≥ Company refused to allocate more than around 10 engineers to the Security team at any point

If true, this tells the story here with security culture at WhatsApp. Assuming a backlog of known weaknesses (as any established code base will have), and the velocity that 100 PMs and 1200 SWEs implies, how would you do anything as a security team besides stick your fingers in the figurative holes in the dike? The ensuing conflict between Baig and his superiors about not fixing stuff is surely going to result in an assessment of "poor performance" but is likely just Baig giving a f** about user data.