Typically we wait until the end of project and then implement security. As with most development cycles many things change up to the final release. If your development model is very organized without much feature creep then it would be easy to implement during the actual development process.Additionally, it depends on the level of granularity you want to use. For example, if you want to implement security at the CRUD level then it would make sense to create permission when you are creating your BO. It would also make sense to create permissions during development if you have more sophisticated forms with various levels of security at the field level.
At the end of the day it is a matter of organization and your style of coding. Localization is a very similar challenge.