The first thing that came to mind when I read this headline was Valve's famous structureless work environment. If there's no structure, who handles all the grunt work noboday wants to do... like security?
Even if somebody is explicitly assigned to security, I'm not very confident they'd have the authority to make all these freewheeling ad hoc teams adhere to good practices.
A few months back I had a discussion with a Valve developer about the sandboxing they use for the Steam Overlay and its embedded web browser. I was describing how their sandboxing was inadequate and vulnerable, and he responded by explaining how they had done things correctly and listing the measures they took.
Then I explained that the measures were incomplete and the embedded browser wasn't actually secure (among other problems, the sandbox was running as Administrator with the debug privilege...) He investigated, and saw that the sandboxing was never finished by the engineer who worked on it. So he took some time to go finish it himself. Up until that point, Valve had been operating under the assumption that they had a working sandbox - worse than if they had no sandbox at all.
The above is merely an anecdote, but I've heard a lot from current/former Valve employees to the effect that engineers are rewarded for doing high-profile/high-impact work and not encouraged to do much else. If you interact with them as a game developer you can really see this in action with how they ship Steamworks updates - major features break without warning, bugs go unfixed, no real support channel, incomplete documentation.
I spent a couple weeks building out Steam Workshop support for a title. Doing this required identifying and working around a handful of strange, undocumented bugs and API limitations. In the time since we launched, Steam updates have broken the workshop support at least twice, requiring me to spend a day or two figuring out what broke and ship a patch. I've seen similar issues with other titles.
My own interaction with two developers there several years ago was that the web was clearly the redheaded stepchild of Valve. I think they said something like maybe 7 people worked on those features back then, one of those two only sort of worked on it. Additionally, they only really had something like 3-4 people focusing on it most of the time.
For years they had prototype.js included, yet the library was essentially dead at that point for at least a year. Now they have jQuery and are running 1.8.X version, which means they are using a 3 year old version. I think this kind of speaks for itself.
Indeed, it's less a matter of organizational style and more a matter of people in the company valuing QA enough to hire dedicated personnel, and then getting out of their way.
If I (somehow) got hired at Valve, I would dedicate myself to fixing Steam's deeply shitty UI. Just off the top of my head, trailer videos on Steam don't buffer more than a few seconds ahead unless you watch the entire video, and it is literally impossible to return to the exact beginning of a video without first switching away from it (you can only navigate by clicking--not dragging--the progress slider, and it lacks the resolution to go back earlier than the first second or two). And of course it doesn't recognize universal-standard keyboard commands, like Space to play/pause and arrows to navigate. They only recently let you play/pause by clicking on the video instead of on the tiny button.
Trailers for pre-Greenlight games are actually better, because they're forced to use YouTube since Valve isn't willing to invest streaming video bandwidth in them yet. It's wretched.
And that includes security issues; there's one notable vuln where a malicious server or custom map can execute arbitary code on clients. Reported that a few months ago, it's fixed in CS:GO and TF2, but other Valve games apparently aren't receiving fixes (Portal, Portal 2, Left 4 Dead, Left 4 Dead 2, Counter-Strike: Source, HL2DM...)
And that's not to mention the folks who license the Source engine from Valve, who I'm currently trying to contact en masse and get them to fix this (and many other security-critical issues). Apparently, Valve doesn't push security patches downstream to them...
Even if somebody is explicitly assigned to security, I'm not very confident they'd have the authority to make all these freewheeling ad hoc teams adhere to good practices.