I recently prepared a talk for DOXMOUTH (a DevOps meetup in Bournemouth) on the topic of security as a shared responsibility. As it applies to product teams today. The preface is based on the concept that more and more businesses today are building software faster. With the velocity increasing behind software development so are the threats.
At the end of the talk, the last question asked about who wears the security responsibility hat and I didn't really get to the answer very fast. Enterprises that have a CISO usually require them to take the final responsibility for security from a regulatory perspective. While the work is done in the product teams the responsibility is higher up. Perhaps some responsibility also belongs to the Product Owner.