I've been in the web business since sometime around late 1995. I started writing "code" at that time just like everyone else did -- HTML. . . ONLY. Those were the days of simple web pages with no background and seldom images. It was all about content and how it was organized. In those days it didn't seem like there was any need for real security or even what real security meant for web servers. At that time, it was rare to hear anything about systems being hacked, stealing company information, secrets, credit card numbers, personal information or defacing public facing company portals. Even less were reports of DoS attacks or other debilitating web server attacks/hacks.
The climate on the Internet has has most certainly changed since those days. The proliferation of hacking groups to conduct their activities less for educational purposes and more for disruption of services or to push an agenda of some sort has grown worldwide over the last 20 years or so to include countries all over the world. In countries like China, Russia, North Korea, parts of Eastern Europe and Africa, there are hackers actively working on "0-day" hacks and exploits and writing infiltration code to break into your servers or even home computers. A New York Times article from 2010 (referenced here) meets and talks to a young college graduate in China using hacking for "Fun" and "Profit".
As development practices have morphed into more advanced programming languages with complexities of modern non-web applications using many flavors of web and database platforms and a variety of supplemental frameworks, developers are exposed to challenges in proactively coding against a plethora of readily known hacks and exploits not only in their code but in their web server infrastructure.
It nearly takes a specialist in web security to assure you're doing all you can to protect yourself or the company your work for from exploited web pages, data loss, an embarrassing bout of public humiliation from a defaced web portal, or worse, stolen customer data.
It's worth the research to get your servers set up correctly before moving them to the production environment. No matter which operating system you are working with, there are exploits for any software or server that you run out of the box. It's up to you to fix those exploits and close those holes before you go live. If you're lucky, you have a large team of people in your technology division and hopefully one of them has the experience to handle this task. Chances are, the developer is the administrator as is the case in most small modern companies.
So, how do you get a handle on it? Where can you go for help?