Software is easy to get wrong, and security software needs to be right. This makes good security software hard.
It's especially hard for beginners, because (in my experience) good documentation, examples, and tutorials for common, "hello world" level security software development that actually does things right is nearly nonexistent. Try finding an example of how to write a tool that takes a password to encrypt and decrypt text using ChaCha20, for instance, or even AES, that is comprehensible to someone who has been writing web applications, test frameworks, and Unix command line tools.
This is a big problem, but nobody seems to have noticed, or to care.