Security companies are always cowboys.

Gradual rollout? No no, we need the ability to respond to attacks and vulnerabilities fast.

Limiting the service's access and power, like we do for every other service? No no, we need to run as root and access every single user's SSH private keys and browser cookies. How else would we check they're encrypted, in line with your IT policy?

Secure boot? You'll have to bypass it for us so our 'security' kernel module can load, go into the BIOS and install this special key of ours.

Strict code reviews? We consider this bash script run as root to be 'configuration' rather than code.

Installing all software updates? No no, although we need to roll out our changes immediately, we don't support a new LTS Ubuntu release until it's been out for 6 months....

Rushed to finish enough Jira points by the end of this sprint - because those points matter more in a corporation than sensible periodic slowdown.

As a QE, I wonder how QA process looks in this company. Someone put their stamp of approval on this release. Or did they?