Congrats. Now recognize that you're an outlier. Most companies don't even think about these things, much less do anything to mitigate the risks.
It's not a complicated procedure to keep most things reasonably secure. Best practices aren't that hard - it's just that most startups don't bother with them.
The comment I think you were referring to was talking about an unlimited-budget, as-secure-as-possible scenario. It's a great thought experiment, but the bar doesn't need to be that high to stop almost all real-world attacks (as was also addressed in that comment).
You don't need to run faster than the lion, just faster than your companion.
Even considering state of the art security (e.g. Ed448-Goldilocks + ChaCha20-Poly1305) offers a finite security margin. (Probably on that is never going to be reached.)
You work in a company whose trade is credit cards. Security is 90% of what you must do, not only because it's credit cards, but because you're legally forbidden from doing your trade if you don't fulfill certain requirements.
So, not talk your team down, you likely are really interested in security. However keep in mind that that stems from the fact that you must and that your hiring likely is influenced by that as well.
Has the same kind of focus been true for all other companies you worked with as well?
Also, out of sheer curiosity, how do you encrypt the passwords on your accounts?
