Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth.
The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around.
What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for?
99% of cybersecurity in the commercial sector is a box checking compliance exercise.
Yep, I think my megacorp's cybersecurity department is just a bunch of checklist punchers that now just copy and paste any of our technical writeups into ChatGPT, and I am not even joking. Fucking infuriating.
They are doing the bare minimum for cybersecurity insurance requirements, thats it.
I know _for a fact_ that most companies don't care. There might be a select few out there that genuinely do, but most don't. I've literally reported numerous GLARING vulnerabilities to companies in various different industries, only for the vulnerabilities to remain unpatched for MONTHS. Few of the most comical examples, one major game studio was compiling their Linux binaries with FULL DEBUG SYMBOLS AND INFO plus they were shipping a 600M .sym file with practically full paths and all source info. Literally all the paths and function signatures to every single one of their functions was in there. I had to submit FOUR bug reports before they patched it (didn't even receive a bug bounty). The second one was with a major multinational telecom that was distributing routers that _had an open telnet port to the wide internet_ ... with a default password. And there were countless more. The telecom one I had to BEG them to ship me a new router, or to at least do an over the air update, because "they didn't understand what the problem was".
Shipping debug symbols isn't a security vulnerability. It might be sloppy, but we all know that security through obscurity doesn't work. Especially not with modern analysis tools and access to the executable code.
The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around.