'Twas ever thus
Executive performance is measured using the wrong metric. For security executives it is measured on a combination of reported incidents (they must produce a graph each month that shows a continually reducing number of incidents), on "making effective use of resources" which means paying people very badly and using as few as they can get away with, then sacking the ones who are good (and expensive) and replacing them with people who are cheap, and finally on ROI which means that some made-up number must be bigger than another number and the best way to achieve that is to slash costs to the bone.
Given the set-up, how do they meet their objectives? That's easy, don't monitor and under-report whatever you see. I've seen set-ups where the exec has proudly stated that their security processes are so good that they have *never* had a malware event. A quick look at their anti-malware shows that it's a package that has in the past had reviews such as "It would be better to have malware than to have this on your network". Sweep the system for malware using a package that works and... thousands of viruses, Trojans, adware and other garbage detected. The only reason that they thought they were immune from malware was that they had a package that could not detect it.
I've seen IPS installed and set to passthrough, a shiny box doing absolutely nothing.
I've seen networks where the management ports of the servers were all tied to the user LAN, in fact the only LAN in the company, because "it's easier".
If you suggest that there's a better way of doing this, no one wants to know. And the CEO will happily go on national TV to say (a) their networks are perfectly secure and (b) that massive data loss was all the result of some evil, well-resourced foreign power[1] who hacked around all the in-depth security controls[2].
[1] Colin Thring (14), 21 Gasworks Terrace, Cheam, using his Sinclair QL and a USR modem.
[2] An eight character password of which only the first four characters are significant that is stored in plain text on a SQL server connected to the internet without a firewall.