So many people in IT just dont care, unless they have had a personal bad experience.

I had one data-warehouse that shrunk when the PCI-DSS / DP Act in the UK made room for directors to be personally fined and/or be sent to prison company etc. Until then I explored every avenue in getting the security in place to stop over 500 people from seeing credit card numbers and [personal information.

But without the court cases and without public fines too many companies are now ignoring the requirements.