The people working in those professions are; their bosses and their IT departments are not. IT security is treated as solved problem - if you deploy enough well-known solutions that prevent your employers from working, everything will be Safe from CyberAttacks. There's an assumption of quality like you'd normally have with drugs or food in the store. But this isn't the case in this industry, doubly so in security. Quality solutions are almost non-existent, so companies should learn to operate under the principle of caveat emptor.