The blame game and lack of responsibility.
The issue is that the people who COULD force the proper practices are the very ones who have all the incentives not to. The people in charge of IT are, 999/1000 of the time there to keep the budget to a minimum and rarely know how to even turn the color box on without help.
So it's "I can save here, here, and here" instead of "we have to spend X on this or we could face Y in the future".
When the penalty for a BREACH is you loose the ability to process payments until you can SHOW you took proper precautions to convince a third party you did your homework properly, as well as LARGE fines if you fail to disclose any such breach and are found out, we'll start to see some pro-active managers.
Until the idea of loosing the consumer's data equals "we will loose the entire buisness and I will not only loose my job, but also my golden parachute and I might face jail time if we don't do this right " in the mind of the people paying and approving the expense, it will continue to get worst.
Biting the hand that feeds IT
