In your opinion, is the lack of attention on security due to speed-bias or not having the expertise? For a startup / sole entrepreneur with very limited resources, what would be your advice?

IME it's always lack of experience, at least at the level being described here. It's the same kind of person adding CORS handling to a pure backend service for "security" reasons. They just don't know any better and don't have a good enough mental model of how it all fits together to be able to recognize when they need to research more. The insecure patterns being chosen instead usually aren't even easier or faster to implement.

I don't have any concrete recommendations other than that one really good senior+ engineer is more important than a legion of juniors early on. Basic security doesn't require an extra hire; it requires somebody experienced enough to build your product right.