Kind of getting off topic, but big companies who do not do serious security end up on the news. Startups generally do not until they big companies.
Companies who take security seriously may even do daily scans. I have a major client who does penetration testing EVERY DAY. And all source code is security scanned by multiple third parties before it is released....AND you have to make sure that your code is bullet proof beyond that, because you not only have to pass the security scanners but also you have to be aware that if your company gets hacked, and they can point to code YOU wrote, you are in deep trouble.
Companies who take security seriously may even do daily scans. I have a major client who does penetration testing EVERY DAY. And all source code is security scanned by multiple third parties before it is released....AND you have to make sure that your code is bullet proof beyond that, because you not only have to pass the security scanners but also you have to be aware that if your company gets hacked, and they can point to code YOU wrote, you are in deep trouble.