For sure incompetence is at play here, but if these teams had compliance and security procedures in place then their incompetence would have been accounted for.
Realizing you need compliance and security procedures requires competence. The two of you are basically saying the same thing. There is no world where a company that can't get the most BASIC security practices right will realize they should have security procedures in place.