Typically upper management echelons are largely to blame for these breaches. As a previous commenter noted IT budgets have been repeatedly slashed. Combine that with a perception of IT not adding to the bottom line (i.e. cost center only) and a (faulty) risk analysis that it is cheaper to deal with the results of a breach than to try to prevent and you wind up with an infrastructure that just can't meet the security needed to remain secure against most threats.