we know it's wrong, but we still do it.
the same principle aplpies to data protection. No matter how many self-appointed or government-appointed bodies, or legally enforcable rules, codes or "best practices" are laid down by anyone who thinks their opinions matter - we'll still continue to break them.
The reasons are many-fold, from the "It'll never happen to me", through "well I only did it once" to the old favourite "but it was an emergency" and finally "Really, officer ..... did I?"
So far as protecting data goes, it's just too inconvenient. All those security procedures take time and effort to comply with. Whether it means signing something out, encrypting data before travelling, not using paper copies, validating users before allowing access or banning thumb-drives and other removable storage, all of these require people to take the longer route - rather than the simple, straightforward plain copy of sensitive information. Given that people are frequently under pressure to deliver (or simply too damn lazy) it's little wonder that they take short cuts.
As it is, the only way data can be truely secured is either to prevent anyone, anywhere from accessing it (which gives rise to an existential debate: if no-one can access the data, does it really exist?) or to make the necessary security measures both the default and invisible to the users. Maybe that means keeping everything encrypted, everywhere, all the time or making biometric access ubiquitous I don't know. All I can say is that if organisations rely on rules or procedures or safeguards, they must expect them to be broken and ignored.
My personal favourite security method would be the IT equivalent of invisible ink: - data that fades away gradually over time. Should save a fortune on backups, too.