Implementing security policy is not easy. It's difficult from a technical perspective, sure, but convincing others in your company that the changes are necessary can be just as much of a challenge. Doubly so if you can't convince leadership.
The story of Twitter's current security woes is a great example.
The Peiter Zatko (aka "Mudge") vs Twitter situation has gotten very public. Mudge released a very long (84 pages) document that details what he says is a longstanding pattern of indifference to security. Here are the technical details of the alleged security failures.
Security doesn't have to be a massive financial hardship. In fact, there are a great number of things that can be done in your organization to make systems and applications more secure. This post outlines some of the most helpful that can be used to make your organization more secure.
Not all security needs to come with a price tag, and organizations shouldn't give up on becoming more secure because of cost concerns. A lot of security comes down to education, mindset, and taking advantage of the security built into products and technologies that you already own.