Companies don't give a shit about security until it's too late. Security is a complex beast and I have yet to meet a developer who understands it top to bottom (nor should they but I would expect even juniors to know they should not store creds in the git repo). It's an increasing specialist role that startups rarely hire for because they're focusing on survival and growth so it's to be expected this story will repeat ad nausea.