InfoSec is a joke at a lot of companies
Most of the "InfoSec" depts. at companies I've worked at/with consisted of a couple of people checking CVE's and e-mailing the sysadmins to what they thought was relevant. They had almost no technical skills and mostly came from military backgrounds. Really the whole dept. existed just so they could check a box of for the auditors when some of our more regulated customers(like banks) asked if we had an infosec dept. and plan.