I feel like a checklist is just part of it. The truth is that a secure software development lifecycle needs to be taken seriously at every stage, and this costs a lot of money. During prototyping and requirements gathering you need to be setting security requirements, vetting planned dependencies, and prototyping things like authentication and authorization. Each design should include threat modeling and threat mitigations. Implementation time should include mandatory code review, static analysis and secure code checklists. Testing needs to include manual penetration testing and dynamic scanning. Finally, maintenance is another area where things fall apart. Who is going to handle patching? Who will be accountable in 4 years when that version of Tomcat is EOL? None of these things are trivial, and people that have the skills to execute on them are rare. Getting a company fully willing to spend the money and time on them is even rarer. I had an old boss who aptly said once "Security is a black hole where money goes to die".

Those are best practices in hardening a system but those are just table stakes. Good security requires having observability of your systems and following up and/or checking on any anomalous activity you detect.

For the most part determined actors (many of them state sponsored) are going to be hard to prevent if they target you. Your best defense is early detection and reaction to the initial breaches. If you only do the hardening part and leave out the monitoring/observation part you are going to get owned.