"You're the exception"
Actually I have the luxury of not working for anyone these days.
But you may be right in that before I retired my last client had the word "Security" as the first word in the company name and meant it so that helped. Directors would have Richter 8 shouting matches in the open office but not about security. At one time they hired a company to try ringing various members of staff - and freelancers - to try to pry out company information and found we were effective at rebuffing them. Prior to that I worked for a large company that had a major, in PR terms at least, security egg-on-face incident and after that they went on a not entirely security theatre kick so at that time at least they became quite security minded. I don't suppose it lasted when their feet were no longer held to the fire.
When security requirement are imposed externally, and the likes of GDPR can do that, it becomes in the top team's interest to take is seriously.