Not financial sector, but in my own experience working in tech consulting partnering with large management consulting firms in the past, security was the last thing to get checked and the first thing to be neglected.
Sure there were some "bare minimum" things that was expected to be upheld like passwords not being in plain text, but come time for a security audit it was exactly as you say. Not done out of genuine interest in security but as a rubber stamp of items to be able to show the client "look we did this"
Not even joking when I say that the development plan for most of these projects basically just tacked on a few days in the last week for "security improvements" alongside things like "tech debt" rather than it being a top of mind thing for the entire development process.
Sure there were some "bare minimum" things that was expected to be upheld like passwords not being in plain text, but come time for a security audit it was exactly as you say. Not done out of genuine interest in security but as a rubber stamp of items to be able to show the client "look we did this"
Not even joking when I say that the development plan for most of these projects basically just tacked on a few days in the last week for "security improvements" alongside things like "tech debt" rather than it being a top of mind thing for the entire development process.