IMO often this just reflects the priorities of the organization.
While it is the responsibility of devs, some system needs to be put in place to actually enforce it. Like, do not have an nfs shared volume, or incentivise anybody to report these, and give incentives for it. Otherwise "just be very careful" advice slows development to a halt.
I only half agree. Of course the company needs to have processes in place. But having shared storage can serve a multitude of legit purposes, and I feel like some alarm should go off in a developer's mind when he thinks of just dumping secrets there. Or the next one who comes and use them.
Or you might not have shared storage, and then they'll just put the creds in a Google spreadsheet like I've seen very recently.
While it is the responsibility of devs, some system needs to be put in place to actually enforce it. Like, do not have an nfs shared volume, or incentivise anybody to report these, and give incentives for it. Otherwise "just be very careful" advice slows development to a halt.