Why would anyone who knows security make that claim? There's so much more than just software security. Even if you secured every bit of code your company wrote that wouldn't make you secure. How much does solving for every OWASP top 10 vuln help when only 10% of your product is software your devs wrote? What about the open source libraries or non software parts of the business? You can't run a company without using some amount of 3rd party software or having at least a few employees that need to communicate using chat or email. While I'd agree there a lot of incompetence out there, I think the problem is much harder because there's a lot of variables out of your control. Now we're back at the original problem of how do I try to control for people and vendors I have to work with and there's a huge imbalance of information.
If your dependencys are out of your control then you are incompetent at security, full stop. Wrangling your dependencys and inputs is security and engineering 101. You will not get meaningful security without doing so. Being unable to do a critical part of the job because it is hard is textbook incompetence.
Everybody everywhere in software being totally slipshod on these elementary practices is a big part of why there is no meaningful security anywhere.
