It's entropy, plain and simple. Sooner or later, no matter how secure an organization may be at any given point, skip ahead a few cycles, and attention to detail wanes. Managers stop asking questions, project leaders reprioritize thinking the problem is solved, staff do a "monkey see, monkey do", and then new gaps open up, get taken advantage of, management go into a state of denial, project leaders can't get their teams to give a damn, and then the inevitable breach or audit reveals the extent of the vulnerabilities, and management sends out the big press release that's always "We're reprioritizing security because we take security SERIOUSLY!"
Rinse, repeat, endlessly until the heat death of the universe shows entropy is always king.