@lisihocke really interesting post!
I especially like the mention of security theatre. When new to security, i think we've all been guilty of doing a ZAP scan, reporting the headers and calling security done!
I think it's also important to make sure your are making security interesting! I'm biased as I love the stories but security can feel like the dryest shit ever or some real spy shit.
One way to make reports interesting and engaging is through POC's.
When you find a missing clickjacking header, don't just report it, create a HTML page with an iframe and show how you could abuse it!
When you find an enumerable endpoint that leaks email addresses, don't just explain it, write a quick script that iterates through all users and pulls the emails into a file.
In my experience, everyone likes to see how their tech can be abused imaginatively. Although this isnt always possible, if you show this a few times, devs will listen the other times you raise a concern.