I can't speak for all of them. But I worked at a very large company known on a global scale. They thought they had proper security experts, but the people that hired them didn't know security very well. When issues were brought up, instead of them asking "how do we resolve this?" they would ask "why would someone do that?" This raised so many red flags in my head the first time I heard this, I didn't even know how to respond.
I came to them with various issues, one of them could've had very serious consequences. I proposed step by step solutions that were simple and would've patched up issues behind the scenes and only impacted people that were violating security policies. They never seemed to care about protecting what they had. It was very sad.
I'll give two examples of the issues they faced:
1. They left doors unlocked and open to the building during working hours, anyone could enter and witness highly classified work on someone's machine, or use someone's machine if they had left their desk without locking it, which happened frequently.
2. Their shared document service, which contained many classified, and highly classified documents had an authz vulnerability which would allow any logged in user to view (and in some cases edit) any document in the company that was stored on their document storage service.
I think my conclusion is that a lot of companies don't even know what their issues are, don't know what experts they need (or if they need them at all), and don't care because nothing bad has happened yet.