I suspect the 2/3rds figure is coming from the fact that the person creating the gap in security is above a given person on the org chart. Pissing off your superiors is a great example of a Career Limiting Event. Rank has its privileges. I have not yet seen an organization of any appreciable size, public or private, where those at the top do not consider themselves above security policy. That's for the plebs, kind of like how taxes are for little people. While your typical rank and file worker may have to change his/her password every 90 days with one of a given complexity that has not been used before, the CEO says he wants to use a simple password (no joke, I've seen them use the name of the company all lower case) that does not expire. That's a clear breach of written security policy. But, who's going to call him on it? Nobody, if they want to keep their jobs.
Ironically, the employees for whom following security policy is most important (not only due to company policy, but frequently due to external regulations like SOX, HIPAA, PCI, etc.) are the ones who are most likely to be able to bully IT staff into making exceptions.