The easiest way to make sure your product works with everything else is to lower all the barriers, set all the defaults to the least secure options, make the configuration as open as possible.
If you don't do this, you have to provide lots of end-user support to your customers to help them configure your product so that it works for their environment and use case, which is expensive and time-consuming.
On the other side of the problem, the sysadmin that has to get the product (that the middle manager bought) working in their environment doesn't have time to dig through all the documentation (if it exists) and learn how to configure the product securely while still interoperating with everything else, because management wants it working yesterday.
As a result, everything is Swiss cheese forever, because only the minimum configuration work required to get something working is done. The people who make purchasing decisions don't care about security, and the people who do care are overworked and understaffed. Even after something bad happens management still doesn't care, beyond the limits of liability.
There will never be security in these systems except whatever is forced by government regulation.