Unfortunately, I'd guess that the other 2/3 were just getting their Risk/Reward calculations wrong.
I've been in a lot of places where Those On High run their businesses with a lot of risk - for example, not spending money on proper security. The rewards of that approach can be high for them, providing they don't get hit during their incumbency. Sometimes I have actually wondered whether they actively take this approach, or just stick their fingers in their ears and hope.
Even more unfortunate is the fact that they will get to keep the rewards and it's the company who pays for the impact of the failure.
TalkTalk was the classic example. The downside of the TalkTalk hack was that it demonstrated that the C-Level crew can get away with even such an egregious failure, with a few lies about "our customers' security is our highest priority". The TalkTalk debacle doesn't seem to have done Dido Harding's career the damage it should have done.
(<Deity(s)> forbid she actually gets the job of heading the NHS. If that happens, I'm leaving the country.)