Security teams are the rarely thanked defenders of today's digital lifestyles. In peak performance, they are invisible. Only when problems arise do people tend to take notice.
Think of a day when a company's security was greatly enhanced. It may have been as routine and boring as it gets. In the morning, 3 more patches that were released were immediately applied to load balancers, a database, and of course Adobe Flash. In the afternoon, a pen test result comes back with 1 minor severity vulnerability on a test server - a cross-site scripting issue that is confined to test data. That saved time goes to fix a vuln where any self-signed certificate was allowed in the mobile app - a much greater concern.
When a competitor's app fell victim to a man-in-the-middle attack for the same reason, that proved to be the right decision.
The security team properly triaged its own time, focusing on severe vulnerabilities first.