Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth.

The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around.