It is common to have the insider threat dismissed as a scare tactic or worst-case-scenario and I believe this is a mistake.
We are all about the business value of risk.
Most enterprise companies have to protect themselves from malicious insiders at all times and this affects the design of their software, specifically the need for least privilege and generally all requirements surrounding logging and internal controls. My thinking is that if you want to have a seat at the table during the beginning phases of the software development life cycle, it is best to master the concerns and business needs imposed by this type of risk.
Granted, our industry seems to generate snake oil by the barrel, which is all the more reason for us to take these threats seriously and calmly seek publicly documented data on real cases.
Indeed, one would hope the information security professional is someone who helps to establish the boundaries of trust in systems being built, not someone who vacuums up the pieces of broken projects, however well such housekeeping pays.
Until about 2006, the PRC list identified inside threat incidents as "Dishonest insider." After that, the number of employee instigated events is described with greater detail but is therefore harder to search. A quick look here should be enough to convince most on this webappsec list that the impact from insider threats is not insignificant.
As software security professionals, we can help to mitigate insider threat problems and our value in doing so should not be underestimated.
The commonplace nature of OWASP-top-ten type flaws should not prevent us from acknowledging their utility in the hands of a malicious employee, developer, manager, etc.