I have never ever met at dev with that attitude. I've seen managers trying to postpone fixes, because they naively thought there was little chance it would be discovered by hackers. A quick tour of Shodan, logs of SSH access attempts and access logs with the various script-kiddy attempts, usually convince that type of manager to prioritize hardening