Static analysis tools are essential for identifying software quality issues, bugs, and security vulnerabilities in source or binary code. Despite their importance, limited research has examined how non-technological companies approach software security and integrate Static Application Security Testing (SAST) tools into their development pipelines. To advance understanding in this area, we investigated the motivations, challenges, and benefits associated with adopting SAST tools. Our study involved the use of CogniCrypt and CryptoGuard—two state-of-the-art tools for detecting cryptographic API misuses, a common source of software vulnerabilities. We organized focus groups with software developers and security experts from three organizations and performed a thematic analysis following a grounded theory approach to identify factors influencing SAST adoption and participants’ perceptions of these tools’ effectiveness. The analysis revealed themes reflecting concerns about false positives, overconfidence in state-of-the-practice security tools, reliance on infrastructure-based data protection, and persistent challenges in remediating vulnerabilities in legacy systems. Despite these difficulties, participants recognized the value of SAST tools in enhancing security awareness, facilitating knowledge transfer, and promoting secure software development practices. Based on these insights, we provide actionable recommendations to support SAST adoption and improve the usability, reporting clarity, and integration of tools such as CogniCrypt and CryptoGuard. As a concrete outcome, one participating company decided to remediate all cryptographic API misuses identified during our collaboration.