Having been a sysadmin you would be surprised at both the amount of times I had to explain why we couldn't just put an unprotected endpoint outside the firewall and also how much alcohol I drank to cope with the former.
It is like being builder to architects that think you can have a second story just floating in midair. I am baffled by how ignorant of the basics of infrastructure many developers are.
Obviously I don't expect a website dev to know the details of like iptables configs for load balancing with failover or whatever. Or even be terribly familiar with how to set up a production web server. I do expect people to know stuff like every computer on the internet is under constant attack from scripts. Or that taking advantage of peoples' trust and leaking their data is bad actually.