

Most organizations in the US don’t value cybersecurity as anything more than an abstract concept. The reasons for that can be numerous but in my experience it’s usually a combination of cost + survivorship bias.
Lack of serious consequences is another factor. Had a breach? Pay a small fine and an even smaller settlement (or should I say your insurance pays) and then it’s back to business as usual. Even in situations where the breach is due to gross negligence, the consequences are minimal (see Equifax).
“Full Stack Dev” AKA Backend Dev who knows just enough about CSS to be dangerous.