That’s a common misconception taken from an engineers perspective but you have to understand their job isn’t about engineering, it’s about risk mitigation. And when viewed from that perspective, they are doing their job.

The real problem is that the domain has gotten so complicated that a traditional risk mitigation approach to is an outdated role and is now better fulfilled by technical staff who specialise in security. But that’s an organisation problem caused by senior management (C-suite and above) rather than a particular individual in that specific role not doing their job well.