"It can't be bolted on after the fact" doesn't mean it's impossible to take an insecure codebase and make it secure. It means that you can't leave it to the last thing and then just toss a few security things into your product. It means you have to rearchitect major pieces of the product, possibly all the major pieces, possibly switching around what the major pieces are entirely. If you want to show that in the "vast majority of cases" that happens, you need to start by establishing not merely that a particular codebase went from "insecure because nobody hardly thought about security" to "reasonably secure", but that the transition was easy.
Facebook probably isn't the best starting point because anything working at that scale is a challenge no matter what.
(Edit: Though if one measure's Diaspora's eventual size if it reaches its goals and considers what percentage of the man-hours have been put in to date, this is still early in the process and major rearchitecting of every component was inevitable anyhow, so hopefully with one of those they can install some security too.)
In fact, this is how it happens in the vast majority of cases, including the case of Facebook.