Are features going to be de-prioritized in favour of hardening existing code? Or are employees expected to keep doing what they are doing just "with security in mind"?

The article makes it sound like the later. Which will be about as effective as "thoughts and prayers."