As I said, performance and security should be in the development team's mind when they implement anything. There should have unit, system, integration and regression tests in every single step of the development lifecycle.
Release managers that authorise deployment without having a check mark against security items shouldn't be release managers.
Security testing can be challenging, particularly automated testing. Tinfoil Security that you recommended a while back is an interesting option.
Sometimes project / release managers will say "we need security testing", business owners will say "no get it live asap".
Frustrates me to no end when security concerns are not taken seriously by release managers.
At a previous role, i left the company due to this situation.