Moreover, these things should be built upon the certainty that somebody smarter than you, the coder, might be interested in free money, and that the software will be broken.
Only with that mindset can one build a system that doesn't screw over every legit customer when it happens.
Ahh, the default finance mindset is a bit different - first, assume that your own employees, managers, sysadmins and developers would be interested in free money. Design the system, processes, checks and audits according to that - and it covers most of the precautions against outside hackers as a natural consequence.
If you start a BTC exchange, write half of the initial code yourself, have access to the servers and own the company - then you should ask a simple question: could I myself steal funds undetected? If you're an investor, could the CEO/founder steal funds undetected? If the answer is yes, you have work to do.
There are some theft options by privileged people that can't be realistically prevented, but you can make sure that those scenarios would be detected within a day, and thus those privileged people simply wouldn't do it to avoid jail.
Only with that mindset can one build a system that doesn't screw over every legit customer when it happens.