Sure. Of course, you're going to prove that it was a management directive, and not just plain old IT incompetence or malice that led to "deleted" profiles being left around in the system, right?
If the IT guys are partly to blame, they should be lined up right alongside their managers for those whippings. And I'm pretty sure that you'll find more often than not that the IT guys are just as clueless and incompetent as their clueless and incompetent bosses.
Irrelevant.
Obviously, if it was a management directive, it's management's fault. However, if the lack of security is due to ignorance/incompetence on the part of IT, it's still management's fault, as it's their job to hire and/or train IT for security (and fire if necessary).
Internally, management is free to assign blame and take action against IT, be it through improvement plants, pink slips, or (in the case of malice) lawsuits. But make no mistake - management holds final responsibility - that's part of being in leadership.