Indeed, some of these things take months of work to complete, to expect a startup with a couple of people, working part time, to dedicate time to these is a startup death sentence.
And really, most of them don't provide security, they're a checklist. Checklists don't provide security, they provide (sort of) accountability.
Frankly, security should not be the top priority of a small startup, unless you deal with extremely sensitive data. I'm not sure it should make the top five. Off the top of my head, survival, product dev, growth, hiring and infra are all more important if you're just starting out
There are certain things that are very difficult to implement if you skip them at launch. For example, encryption of 3rd-party secrets. CircleCI is a good example of a successful company burning themselves badly by treating encryption as an afterthought.
And really, most of them don't provide security, they're a checklist. Checklists don't provide security, they provide (sort of) accountability.