I don't agree that was enough of a reason to drop them. An attacker getting access to your dev environment, even if you're one of the largest security focus endeavours, is pretty much an inevitability. Someone's gonna get access to one of your engineers macbooks, no matter what.

The thing that's bad, is that apparently their developers have access to (backups off) production data. That implies that their security infrastructure is not different from regular startups at all so all of their marketing is just bullshit. They didn't sacrifice developer productivity for security on this point, so they can't be trusted to have sacrificed anything for security at any point.