In the profit-center view, everything is either a cost center or a profit center. And it is nearly impossible to get anyone to truly care about a "cost center".
In my experience, the conflict in many bigger orgs isn't even on the cost vs profit axis, it's on the tangible vs non-tangible axis. It's a lot easier for middle managers to show they did well if they deliver customer impacting features than a nebulous "improved security". This is item true even when higher up management actually wants to invest in security.
Sure, but to the client hiring them, it's a cost. We'll take the basic compliance package please, no need for any of the gold tier high security features.
"...because our executives won't get thrown into prison as long as they check all the compliance boxes. In fact, they won't get thrown into prison even if they don't check the compliance boxes, but that would be a minor nuisance, so we'll take basic compliance."
