Implementing security policy is not easy. It's difficult from a technical perspective, sure, but convincing others in your company that the changes are necessary can be just as much of a challenge. Doubly so if you can't convince leadership.
The story of Twitter's current security woes is a great example.
The Peiter Zatko (aka "Mudge") vs Twitter situation has gotten very public. Mudge released a very long (84 pages) document that details what he says is a longstanding pattern of indifference to security. Here are the technical details of the alleged security failures.