Even more unbelievable the second (?) time...(long post)
in order to change the practices, you have to change the culture.
The managers want to optimize the workflow; i.e., do as little as possible to make things work smoothly. They cut corners (like passwords, etc.) because they are uneducated or uncaring about computer security.
Well, it's time to re-learn about Darwin. Those who are most adaptable will survive. This concept is usually connected with cutting out the people at the bottom of the barrel. However, Darwin's concept also cuts out people at the **TOP** of the barrel. It cuts out those too idiotic to succeed, and also those who succeed too well (where the rest of the population usually gangs up on the rogue and takes them down as a threat to their way of life). If you were ever beat up in school for being a nerd or geek (too intelligent), you know what I'm talking about.
Sound familiar? If you've ever heard the word "overqualified" with regards to a job interview (as I have several times), you're a victim of Darwin. Mediocre managers tend to get rid of employees smarter than themselves (and avoid hiring them at every opportunity). The other common phrase is "not a good fit for the organization". It used to be a case of intelligence alone, but now it's skill-related. If you know more about the security than the boss, and you tell them about it, they automatically think you're out for their job, they circle the wagons, start looking for things in your performance they can fire you for, and if that fails, they start making things hell for you in the hopes that you'll quit on your own. You're too smart for them to handle, and you're making them look like an idiot. And those kind of managers certainly are idiots, since they could just as easily take your brilliant discovery and make their own boss think it's their own discovery (and help the company in the process).
So how, then, do you change the (corporate) culture? Some of the previous posters had good ideas, such as fining the company and firing the morons in charge of security. But other things are necessary, like independent audits and firing board members (or even entire boards where corruption and incompetence are rampant). Government regulation is also necessary, to prevent the entire company from going corrupt, and also to step in and take over the company (temporarily) if they're a risk to the nation's security as a whole. Once the problems are fixed and the workers are assessed on their performance, suitable replacements can be picked from the company workers, or brought in from outside the company. (In almost no case should a company be nationalized permanently, or completely disbanded as a hopeless case.)
Some of you probably think I'm nuts with that last bit, but consider just how much hackers and thieves can get away with when they get millions of credit card numbers. Say, for instance, one million card numbers with a balance of 1000 [insert currency unit here]'s apiece. It's not a question of regulation, it's a case of grand theft credit card, when potentially billions of dollars/pounds/etc. are on the line, and if that money is lost, it can have a disastrous effect on the national economy.
If you don't believe me, look at Exxon/Mobil's profits, and tell me they don't need strong governmental regulation - our US economy is (pardon the horrific pun) tanking right now because they're war-profiteering and price-gouging. Every sector is suffering greatly, because nobody has money to spend, and corporations pass their price-of-doing-business increases directly on to the consumer.
The company who bought Bethlehem Steel made all of the steel worker's retirement contracts null and void, ruining the lives of hundreds of retired workers and those near retirement. Enron, Worldcom, the list of corporations blatantly breaking the rules has grown all too long (especially in the last 8 years). Those who aren't breaking the rules seem to be lobbying the government to change the rules to work for the corporations, and not the consumers.
Basically, you have to change the **entire** culture, not just one part. Corporate culture is top-down, and that's the only place you can change it. Corporate whistle-blower laws aren't all they're cracked up to be. The only real way to do it is to make the government the top dog. Corporations only have allegiance to the almighty [insert currency unit here], so they have to be made to follow the law. Why put the government at the top? Because the government is (for the moment) still accountable to all of the citizens of the nation (and not just those who pay). Also, if the government doesn't do it, obviously the corporations won't police themselves effectively.
Put it this way: if the US government threatened to nationalize Exxon/Mobil and fire the entire Exxon's entire board and corporate staff next time they had an incident like the Valdez disaster, you'd better believe they'd shape up fast. Remember, corporations are like children: they are nursed and grow up in the country where they were spawned, until they get too big and go out on their own. However, the analogy ends there, where the corporation beats up and spits on their parent country by behaving despicably (like all the above corporations, and so many more).
For my final two cents, just keep in mind that corporations are like any gang; whatever their members do is done by the entire gang, so that they protect their members. The gang's responsible, not the gang members. Bullshit. If they want the entire gang to be responsible, then when they screw up somebody's life, you find **each and every gang member** and lock them up. That's what they wanted, isn't it? No personal responsibility, just group responsibility? That's how you fix the corporate culture. Hold them all to account. The profit of the company and the good of the company are two separate and distinct things, and every member of the corporation should be making sure the company does things for the good of the company (or it's their ass in the fire too).
The feds really need to step in. Flame, because all the nations of the world will go down in flames if their governments don't get in there and get back the reins of power from the corporations.