I feel like the use of prod data for testing is more accepted in a "look the other way" fashion that we want to admit. Long answer follows 🙂
The security issues of this are rarely understood by the development team, even if they built the security protections in the system.
Development teams - and I include QA staff in this definition of dev team - often come up against "bugs" (yes, they may not actually be bugs) that they try to replicate & can't. They immediately go to "it only occurs in production" or "must be a quirk in the data in use" to justify running tests against prod data.
Then there is just the complex enhancement that needs a lot of in-depth data to build and test. There's either a time constraint or an effort constraint that prevents some teams from building out scripts to create the in-depth data to build and then test against.
In a past job, we had a perfect example of this last case - building a billing & rebates system. The rules around rebates were complex, based on $$ turnover for clients, plus in some cases also number of transactions recorded. Throw in different currencies, different revenue for different sorts of transactions, and the billing system quickly gets very complex. The solution chosen to enable development, was for the (very senior) team member to grab regular copies of the live data to develop and test the billing system.
It was somewhat questionable if there was permission from further up the chain to do this, but that team member eventually lost his job. And the company changed their security policies AND levels of access granted to the production data to both make it clear this is a big fail to do, and prevent casual, accidental use of production data.
So, the use of production data was a shortcut. But it was enabled by lax policy, lax education AND lax implementation of the actual rules around that.
It wasn't just the developer doing the wrong thing.
It was that there was no explicit policy they had been shown & agreed to, and no well monitored restrictions in place to prevent it.
Very senior dev should have known better, & did deserve to lose his job. But companies collecting very sensitive data should have established policy that is reviewed regularly, along with implementations of the restrictions in that policy (as much as possible) that are also reviewed regularly.