Part of the problem with security issues is the nature of the feedback loops to the people who have the power to ensure that security measures are central to the way an organization works.

The feedback loop to a client who wants you to carry out some work for them is likely to be both continuous and subject to a very definite negative outcome if you fail to meet expectations - which will almost never go much beyond cost and timescale.

It is therefore easy to continuously prioritise that delivery at the expense of time and resource that could ensure better adherence to good practice in the security field. Here the feedback loop is slow and uncertain. Slack practice will increase the probability of a security breach, but compared to the immediacy and certainty of client feedback it is easy to dismiss.

IT staff, in my experience, do care and will do their best to maximize security and data integrity within the limitations they have imposed on them, and will try to escalate their concerns. However, power doesn't lie with those people and business priorities generally mean that anything that may increase time or cost on a project gets dismissed with a JFDI instruction from those who do hold the decision making power.