Somebody told me a few years back that the life time of a CISO in a larger organisation is not larger than 24 months. In my organisation that proved to be true so far. Here the rule applies as well.
It really feels like the CISO role has become less about the security posture of an organization and more about being a corporate whipping boy-- Predesignated as the go-to sacrificial lamb for when a public leak or government investigation comes knocking.
Hard to find longevity or stability in a role that exists to fail
CISO's get paid a ton of money to be that sacrificial lamb. At the same time, since it's widely known that the post is a sacrificial lamb post, there is really not that much to lose.
Once this is known throughout the industry, it also means that the whipping boys keep getting fired and then taking up their next tenure at the startup next door until they're fired again.
Having seen how some CISOs "beg for resources", I pretty fundamentally believe most of this money is wasted anyway.
The only way you can really get better security at a company is to have an ingrained security culture. I.e. developers are continually educated on secure coding practices and new threats, code reviews include security checklists, corporate security training includes continual social engineering tests and an atmosphere of continual improvement.
And yes, that stuff does cost money, but that's rarely the resources I see CISO's fight for. Instead, they fight for lots of expensive software, things like useless, shitty WAFs or poorly built "network monitoring" software (which can be a huge threat vector in itself, just see the SolarWinds fiasco).
Like many other comments here, I don't believe security is something you can "bolt on" at a company. Yes, there are specialized roles that a dedicated security team needs to fill, but unless everyone at the company has a true understanding of the value and importance of security vigilance, you're screwed.
To your point about security culture vs. buying security appliances, you need both. They address different aspects of security. If you're only doing one of them, you're in trouble. Likewise for checkbox ticking security-by-compliance.
I strongly agree though that you can't really bolt on security, it needs to be designed in and part of the culture as much as possible. You'll never get everyone to understand the value though (I wish!).
I’ve been told similar for CMO - < 1 year tenure on average. The narrative was that CMO are weirdly in a mix of technical and creative and accounting, meaning they need to come up with answers and execution that satisfy CEOs.
So either the company does well and the CMO stays, or not. And the default for most companies is to fail.
Hard to find longevity or stability in a role that exists to fail