You are of course correct. However, there's a difference between enough security to launch (i.e. what comes with your framework like XSS, SQL injection protection and basic common sense etc.) and spending lots of time doing extra security stuff (like HTTPS everywhere, making sure cookies are properly scoped etc.) that could be spent getting your startup out of the door.
There has to be a balance, which is something quite a few fellow security nerds miss. The value security brings is in protecting data. If you have no data, then there's not much value in security. Likewise, if you have sensitive data then it's worth going the distance to secure it.
There has to be a balance, which is something quite a few fellow security nerds miss. The value security brings is in protecting data. If you have no data, then there's not much value in security. Likewise, if you have sensitive data then it's worth going the distance to secure it.