I have seen some Rolls Royce, no-expense-spared, state of the art security in financial services, with so much headcount people had time to sit and watch the footie on the big screens. I've also seen bad practice that would shame your Aunty Mabel in organisations turning over mindbogglingly vast sums of money on a daily basis, with the litany of excuses I used to think had gone out of fashion twenty years ago - "it's alright, it's inside the firewall", "we've always done it this way", "well how else do you expect me to do my job?!??" and the rest. The main difference seems to be the very good orgs had retail customers, whilst the bad ones only have similarly clueless orgs - big enough to pay for a few hundred mansions and customised Range Rovers, not big enough to care about security.
When it's good, it's very very good. When it's bad... "I've seen things you people wouldn't believe". Real jawdroppers. I thought I'd seen egregious incompetence and wilful blindness -- before I got into finance I'd seen an entire database team with admin passwords taped under their keyboards and server rooms that could be opened with an Oyster card -- but the bad fin serv firms? OHHHH...
I do sometimes wonder whether my liver will pop like an overripe tomato before the massive systemic risks blow up the world or not. The ghastly thing is that the only hope I have lies in regulators. The regulators attitude is "you'll know you broke the regs if you get hacked and lose a lot of money, or your firm blows up. If that happens, we'll carry out a big investigation and then bar you from the City, five years later. " If _I_ was senior in one of those firms, I dare say that would sound like a poor trade off against another £1m bonus in the new year.