I think this is correct but is tricky to put into action as companies rarely staff security departments to do this, typically you'll see ratios of 20 devs or even 50 devs to 1 security person. At that level it's very difficult for the security person to know enough/have enough time for detail work.
Ideally technical security implementation should be seen as a function of the development/DevOps teams. You can have security teams to provide specific advice but the work of designing and implementing controls is best done within the team managing the system.
Ideally technical security implementation should be seen as a function of the development/DevOps teams. You can have security teams to provide specific advice but the work of designing and implementing controls is best done within the team managing the system.