The bigest problems with security (at the code level)
1) There are hardly ever any security requirements, even if every other aspect does have them;
2) There is no tracability from security requirements (if they do exist) through to test artifacts;
3) Artifacts are too often managed manually;
4) It is common to find that tools such as static analysers are not used.
But the biggest issue seems to be that IT / IoT are not as willing to use a suitable, controlled development process. Other sectors (e.g. avionics) have been on top of this for years, so it can be done. Sure, the processes they use may be too "heavy" to use in full, but the principles are well established and work.