I hear (Agile) people saying that no one is looking into security, because no one cares or that they have bugs, because their managers are not hiring testers.
Companies which decide to take transformation path to Agile are often worried about which role is responsible for what. They do that, because they used to control things. And they are used to control, because otherwise things are not get done properly or on time. Agile “gurus” responds them: “Let them self-organize! They can handle it. You do not need to control!”. Those managers who believed and decided to try it out (because Agile says experiment!) saw how team simply fails bad and then loses trust in Agile. Sometimes they think Agile is not for them, sometimes they realize that they need help.
Both case scenarios have the same problem. They are not fully aware what does it mean to be Agile. In both cases specialist are limiting themselves to what they are responsible for. They set target accomplish tasks related to their role instead of final delivery (for example potentially shippable increment used in Scrum). Everyone in Agile environment should act as leader in proper time for particular initiative. By making this true, team members in the first case scenario should accomplish required tasks (e.g. security related) and in the second one team should sit together and identify what is missing to achieve the goal and how they can help. They should do that at least every day. It takes time and effort to achieve such maturity and get used to different definition of success. And sometimes you need to hire a specialist, but in most cases it is all about “it is not my job” attitude.
I wish you luck and patience in learning new ways.