IT guys should be accountable for their work. Their work shoukd be peer-reviewed, just as ANY technical workin ANY field should be. In firms where there is noone else who can do this an external organisation shoulx be engaged to audit and report on status/risk level/recommendations.
If as IT workers we find that we are not being held to account, ourselves, then we must be brave and honest enough to speak up and recommend to our employers that they get our work checked by a third party.