Well, that's because somewhere between the executive team, which "gets it", and "three levels down"... somewhere between 1 and 2 levels down, there is a team that translates "security" into some compulsory training, scanning internal software/apps/libraries/libraries using crappy automated vendorware, and counterproductive/arbitrary password requirements.

After that, "security" starts to mean "ticking all the boxes to keep the scan happy and stay off the report" (even if the scans are wrong, out of date, littered with false positives, and lacking the ability to find basic problems) and stops having anything to do with actually being secure.