"Organizations should put controls and processes in place"
Indeed they should. Most companies of more than 100 employees do, because they have enough money to get an IT department in place that will properly prepare and configure the network to allow for it. Of course, sometimes said big companies will still spectacularly fail (eh, Target ?) and then everybody will point and laugh because everyone knows they had the means, they just didn't put the proper effort into it.
Nonetheless, most companies are less than 50 people, and most of those companies do not have an IT department because not enough budget. Or worse, the CEO thinks it's a good idea to appoint a family member as IT manager because various stupid reasons, so an incompetent twat is in charge, backed by the might of family ties.
Those companies are really at risk, because either the CEO is convinced he knows what to do because he can program an Excel formula, or his nephew knows all because of all those hours on Playstation instead of getting a degree. Either way, the only thing that actually saves them is their obscurity, until the day it doesn't because some PEBCAK downloaded a Locker and ended up encrypting the companies' sole file server (that has no usable backup, because obviously).
In the end, I think it's just Capitalism at work. The healthiest companies survive, those that cannot identify threats and define mitigations fail. Isn't that what Capitalism is all about ?