Excessively technocentric once again (as always)
"... organisations therefore need to invest in up-to-date on-the-job training. He specifically suggested simulations and red teaming activities." [Dr. Greg Austin, professor of Cyber Security, Strategy and Diplomacy, University of New South Wales]
In over 20 years of infosec consulting, I've never found in practice (or in any breach report) an organisation that was breached despite robust security management. A reactive technocentric stance is almost universal, coupled with perfunctory risk and awareness management. The result is unwitting soft targets everywhere. Simulations and red teaming typify such strategies of reactive response. They are necessary but far from sufficient.
The most important contributions to real cyber security are  executive commitment so the problem is taken seriously and the necessary resources are available to manage it;  genuine risk management expertise so the results of assessments are not total nonsense;  adequate communication upwards and sideways as well as downwards in a no blame culture so those in charge find out fast what's really happening. In my experience these attributes are practically never present in any organisation, regardless of size.
As a result we skirmish with bandits in their own territory so we lose. The reality of cyber defence is that it's not primarily a technology issue - it's a management issue with technological aspects.