When an application has tons of security holes and fixes never make it into sprint prioritization because "they're not new features"

That can come back to haunt a company. Security is critical.

I would try and sneak them in as you will be blamed if you are subject to an attack.

Sometimes classifying them as bug tasks help... But yea that's bad

Can you at least say then okay, prior to deployment, we spend one sprint purely on patching and cleanup? Users won't expect new features but just patching of security and making the code tighter.

Also I've found rewording bugs to sound like a new feature makes it easier to get it. So make a story called "security optimization" and make the security holes you need to patch the acceptance criteria.

I swear, sometimes I feel like our job title should just be "bullshit artist".