Rod, I'm not surprised that your large IT organization has this problem. In my experience, the larger a group is, the harder it is to address debt. (If it was just you, you could decide to work on it.)
I've pointed this out to my management and the most successful approach I've found is to try to bundle some refactoring into the "definition of done" of our larger projects. We'll add feature set X and also correct debt Y in this project. Doesn't always fly, but it has a better chance than adding a month and a half to a two week project.
Besides security, we also like to focus on eliminating one-off technology. "That module is the only one using the Z library, and Harry is the only one who knows it." That's a risk we should address, (and sometimes a money savings if we're licensing Z for just this purpose).