Remember, that each line of code needs to be defended at any time. In the military sphere such tactics is called the dilemma of the defender, which means that everything should be safe all the time.
As soon as the defender gets more and more desirable, he also gets more attackers, and gathers more data that is necessary to be under protect. By its nature, the attackers have some advantages with help of which it is easy for them to identify poorly protected parts, and to capture the entire application. There is no certainty that those functions that you think are least susceptible to attacks, in fact, the least attacked. Small applications are also targets for security scrapping.
To be fully secure, your application must be perfect. This is unrealistic, because the application will have errors in any case, but your goal is to provide maximum protection for your application in order to reduce the chances to become an easy target.
Depending on the level of training of software testers, the complexity of the developed product and many other factors, one of these methods would be more appropriate for your company than another. But keep in mind that the approach to software and application security can be changed.