I don’t think you should have to pay extra for extra security in general. Making a product or service free of security defects ought to be considered a basic requirement of merchantability.
But we should also draw a distinction between, like, real security defects (RCEs, that sort of thing) and features that might make it easier to deploy a system securely (SSO).
But we should also draw a distinction between, like, real security defects (RCEs, that sort of thing) and features that might make it easier to deploy a system securely (SSO).