The problem with relegating "security" to various other teams within IT operations (though really, security holes are primarily a software design - and possibly implementation - problem) is that each team will simply try to push a problem onto another team.
I have worked in many organisations that have assigned specific and rigid roles to their various teams, they all spend significant amounts of time and effort trying to convince all and sundry in management that a particular problem is not their responsibility: either to take the blame for, or to resolve. I can see security issues being just another political football that gets kicked around for days, weeks, months, while the hackers hack away, merrily.
It seems to me that this is the biggest failing of all the many business accreditation and "quality" initiatives that companies get suckered into. They all attempt to set out who is responsible for what, but cannot deal with issues that are multi-disciplinary in their nature, unforeseen, urgent and exceptional. By using this sort of approach, each team merely has a narrow view of the corporate "sky", through their particular "pipe" and fails to see the big picture: to do business and make money in an efficient, legal, safe and secure organisation.
So sure, devolve responsibility for "security" amongst the IT teams. But at the same time ensure there is someone very high up who then has absolute power to cut through org-charts and charters, to tell anyone in any of those teams to stop what they are doing and FIX THAT SECURITY PROBLEM. NOW!