The quick answer is yes, as you gathered. But it doesn't need to be the huge job you're thinking of. (The whole security thing might be big, but this is only one part of it). You have far more serious issues than that.
Why it matters
ANYTHING you create will be hit with attempts to break it. Someone will be curious. Someone will do something you never expected and which defies your thinking. Someone will be curious, or malicious, or nosey.
You should also take for granted that your software/web app will be tested hard by automated tools. Servers with an online portal (of almost any kind) get discovered by hackers within tens of minutes of first going online, and start to be probed for any one of thousands of possible security lapses or oversights. This means they probe for what exactly is running "behind the scene", as well as for any detectable lapses that can be exploited (in data validation, cross scripting validation, SQL or binary injection, JavaScript hacking, the back-end itself, what weaknesses can arise by forcing something to fail, what data can be exposed...).
Your web server(s) will be probed this way, constantly, for any possible web code and back-end lapses, by hundreds if not thousands of automated tools. That's as well as humans and users, not instead of.
Would you rather this was far down the road and brought to your attention forcefully by critics, media, and irate users, or led to liability? Or would you rather fix it?
How to resolve it
Its not a huge job in one sense. You create a security framework and then each page imports or uses it. The concepts to do so aren't hard and are well documented. So the number of pages isn't a big deal.
The hard part of the job is that security is hard. Your real problem is that, from the fact that these issues are there and you're asking these questions, you don't know enough to have a hope of doing it without help. Seriously. You. Do. Not.
I don't know what size team you have, or resources. You need it - and you probably don't have a hope of doing it without outside help.
My real concern here
That said, my real concern isn't the web app. It's the mindset this question suggests.
Imagine I'm considering buying or using your app.
It doesn't help, or reassure the reader, that you apparently consider security as an afterthought, a disruption to your work or inconvenience to fix up afterwards (or don't understand it enough that so far you've treated it that way), and maybe the issues are things that are really basics, like coding a button URL properly.
Security is your work, because however technically wonderful the product/service is and whoever its users are, your real product is trust and reassurance that you'll address my needs and not cause me a major disaster.
I'm supposed to trust your app with my data? Right now, and I'm sorry to say this, I think I might as well publish it on Google+ myself. Yes it is "that bad" a situation and impression, and no this is not overstating it for effect.
I'm sorry.
Now, if your app is any good, get someone else involved.