Attackers, whether state-level, corporate, or criminal, all rely on ignorance like this. It also probably involves denial: you want to believe your systems are safe, so you delude yourself into thinking that minimal protections are sufficient.

I wrote a longer comment about this here: https://news.ycombinator.com/item?id=43745423