How is it that known bad practice circulate as mandatory "best practices" as if they are a bad song you just can't get out of your head?
I quote an observation from a long time internet pioneer while respecting his privacy. The question at hand was, can the CIO learn anything from the Equifax breach and settlement?
> As I have mentioned before, at least to some of you, it is not only the CIO who needs to learn. At a previous job, in a "security best practices" presentation (well, after the presentation) by the Head of IT security, I talked to said head about the long known issues with mandating frequent password changes. I'm not here to debate that particular issue, but to share what he said, that astonished me: "I know, but it's not my call". > So, apparently the Head of IT security at a major network equipment manufacturer can be over-ridden by someone else. Even if the CIO of a corp "knows" or "learns" about security, it may hang on the thread of someone higher up the org-chart knowing, and giving a damn. > Since that time, said network equipment manufacturer has had a number of embarrassing issues with security on their gear. Not that the average CEO is capable of being embarrassed.
My own employer shares this disfunction with the justification that our largest customers demand it of us. This is an example of Security Theatre, a behavior characterized by Bruce Schneier. wikipedia 
There is a sense here that the customer is always right. We could translate it to an economic argument, "we don't know what it will cost us to do as requested but we do know the cost if we don't close this deal."