"Developers are responsible for insecurity."
True.
Always.
And to the reply "The PHB made me do it." Make sure you have a record of supplying them with an analysis of what happens (especially how much money) will be lost if the project goes live with their planned arrangements and security is breached.