Usually a company needs a ransomware attack or some other digital tragedy before they learn the importance of security.

Sometimes they need a few incidents, and need to be reminded when upper management deprioritizes IT security.