The decision to the amount of security to incorporate depends upon the sensitivity of data. The more sensitive the data, the lower the risk of a security breach it should be exposed to, and hence the higher security requirement (and vice versa).
The popularity of the product also is the grey area of security as the software that is used frequently by a large number of users tends to be most targeted by hackers. As the user base increases, the company should begin to reassess their security policy towards their products.
Further, the target audience understands and/or ability to control the security risks involved. For example if a product proves extremely useful to a niche target audience (who are, say, developers themselves) despite the alarming lack of security, perhaps it would be justifiable to continue with such an arrangement; the target audience understands the security risks involved, and are willing to trade the risks for usefulness.
