Dev culture: "We're going to add the security later"

How do you deal with dev teams which adopt the titular attitude as they:

• bake in hard-coded credentials
• write secrets to plain text files
• disable TLS validation by default
• etc...

From my perspective, there's never an excuse to take these shortcuts.

Don't have a trusted certificate in the dev server? You're a developer, right? Add a --disable-tls-validation switch to your client with secure-by-default behavior.

These shortcuts get overlooked when software ships, and lead to audit/pentest findings, CVEs and compromise.

Chime in on these issues early and you're an alarmist: "calm down... we're going to change that..."

Say nothing and the product ships while writing passwords to syslog.

Is there an authoritative voice on this issue which you use to shore up the "knowingly writing future CVEs isn't okay" argument?