Fundamentally the issue is that companies are just not investing enough in engineering and IT. When you farm out this work to offshore workers on a shoestring budget, the result is utterly predictable.

This isn't an offshore situation though.

I've worked with Allianz's cybersecurity personas previously on EBRs/QBRs, and the issue is they (like a lot of European companies) are basically a confederation of subsidiaries with various independent IT assets and teams, so shadow IT abounds.

They have subsidiaries numbering in the dozens, so there is no way to unify IT norms and standards.

There is an added skills issue as well (most DACH companies I've dealt with have only just started working on building hybrid security posture management - easily a decade behind their American peers), but it is a side effect of the organizational issues.