It depends on context really. Security is a feature like anything else. In an ideal world I would agree with you, but professional security costs a lot of money and the stakeholder is not necessarily willing to pay for it versus actually observable features. Also, security might be irrelevant in a bunch of contexts, particularly with great recovery options (and absence of PII) that you need to have anyway and people are actually willing to pay for it as it covers grounds that overlap with security partially or totally.