My experience over many decades is that IT folks may administer a system but know next to nothing about how and why it works and how to protect it
There are rare exceptions
Very rare
And when it comes to security breaches, slim to none
Exactly. I retired from the industry in 2000. Back then, system security was a high priority on your "things you better know" list as an IT supervisor. These days, all they know how to do is shut everything down and make a call to Microsoft, Cisco, etc. This of course, leads to days of tracing before they actually find out what was stolen.