I think the unwillingness of some managers to learn or follow security basics hurts bads. Many don't want to take the time to learn the basics because either they don't think they'll understand or there is the attitude "that's what we pay you for".

I'm talking very basics like strong, private passwords and some discretion opening attachments. This has a huge trickle down effect because if workers know there manager doesn't buy in they know they probably won't be reprimanded.