I wonder if this is a product of Valve's free-form company structure. If as a Valve employee, you have the autonomy to float between projects, how do you maintain a strong security team? Do they even have a dedicate security team?
I've worked with extremely competent security professionals before. Those people love and are fanatical about security. Based on my experience, it seems a near certainty that Valve doesn't employee even a single such person. These people raise hell if security is ignored and have a job freedom that makes typical software engineers look like panhandlers.
Let's remember that Valve is the oldest there is in a business they pretty much pioneered with Steam over 15 years ago.
As somebody who's had an account there since day 1, I'm still amazed by how tight they've managed to keep their ship for all these years, even tho plenty of people have been trying to break into that very worthwhile target for over a decade.
If I contrast that to my experiences with services like Uplay, and Origin, then those differences are like night&day, because with both my accounts on these services I had lot's of issues due to my accounts getting hijacked (probably trough support) several times.
In 15+ years of using Steam, this hasn't happened once to me, so whatever Valve is doing at that end, it seems to have worked well for them and their customers.
That's not meant to defend their stance on this particular issue, but imho it's also kinda dishonest to now frame Valve as a company where nobody cares about security.
If that'd be really the case then they would have gone out of business over a decade ago.
