They usually don’t have a choice. They know this stuff is bad, but they need it to demonstrate compliance with XYZ framework so they can fill out the marketing copy so sales can land a contract with some big customer that wants to know why $competitor has better security than you.