There are things that a developer can and should check to make sure his code is secure, but my focus is mainly on the systems and those can definitely be held to standards. Things like checking dependencies for known exploits, enforcing 2FA and TLS on all connections, encrypting data at rest, and testing backups, among a lot of other stuff.

I've worked with hundreds of organizations across many different industries in my career and almost none of them do all or even most of those, even if they need to be compliant for things like HIPAA or SOX. I once worked with an aerospace company whose sysadmin/webmaster/network guy was literally the founder's son, who got the job because he knew how to make a web page.