Yeah performance, security, etc., is always a low priority in software departments. All work generally have to get funded by some current or expected income specifically linked to that work. Things are never linked to cost of NOT doing the work. It’s always assumed that there’s no cost to not doing something. This is a huge flaw in moderne business practices in general as the only thing that matters is current revenue for purposes of stock price or the companies value to investors. In software this means that any work is generally tied to some feature requested by upper management and usually connected to some sale or otherwise linked to expected income. And that means every new feature gets a limited budget and generally in the end, cost cutting trims that down before delivery, but instead of cutting business features, they have to cut things like performance and security testing and development. Those end up as “technical debt”, but there is almost never any income that gets tied to those unless there’s a lawsuit or other legal requirement that forces the company to fund those things. The whole idea of a department having to “sell” every piece of work to a “internal customer” so they can get money from the organization is a ridiculous idea. It’s all the same company’s money, there’s no actual customer and the whole bureaucracy to support all of that is a huge waste of time and money that could be put into the longterm health of the company. But longterm health isn’t important anymore in so many industries because consolidation and legal maneuvering has removed most competition in many industries.