This study identifies four systemic barriers to secure software development in Germany’s software industry: excessive system complexity, weak security awareness, misalignment between development processes and security practices, and a critical shortage of qualified security professionals. Drawing on semi-structured interviews with 19 domain experts from 12 cross-sector enterprises—and employing qualitative content analysis alongside multi-case comparison—it provides the first empirically grounded, industry-wide synthesis of bottlenecks hindering secure engineering adoption. Its primary contribution is a novel three-dimensional analytical framework—linking *problems*, *root causes*, and *impacts*—that bridges the theory-practice gap in cybersecurity engineering research. Based on this framework, the study proposes three priority research directions: (1) lightweight secure engineering methods tailored for highly complex systems; (2) organization-level models for cultivating sustainable security capability; and (3) human–AI collaborative paradigms for security automation tool design. These findings offer an evidence-based foundation for standards development, workforce training reform, and security tool innovation.

The damage caused by cybercrime makes the development of secure software inevitable. Although many tools and frameworks exist to support the development of secure software, statistics on cybercrime show no improvement in recent years. To understand the challenges software companies face in developing secure software, we conducted an interview study with 19 industry experts from 12 cross-industry companies. The results of our study show that the challenges are mainly due to high complexity, a lack of security awareness, and unsuitable processes, which are further exacerbated by an immediate lack of skilled personnel. This article presents our study and the challenges we identified, and derives potential research directions from them.