I consider it a red flag when people say this. Security is everybody's responsibility, and if you can't implement, say, oauth2, something that has a clear specification and dozens of implementations to learn from on Github, then I can't trust you to handle the day-to-day freeform work.