From an executive management point of view, security incident insurance is often seen as cheaper and safer than investing in actual security. That often leaves compliance as the only real security emphasis.
Yep, and then when the insurer declines to cover an incident because the company neglected proper security, you do NOT want to be the person with "security" in their title.
