When managers deploy "average" security solutions, they're not trying to protect against threats, they're trying to avoid getting fired.
If they deploy something unusual and it doesn't work, they'll be fired, regardless of how it failed or the merits. If they deploy something everyone else has deployed and it doesn't work, they will be commended for following "industry best practices."
Not all organizations work this way, but many do. When something breaks, there's a big temptation to avoid an investigation into exactly what happened- who knows what that could turn up! Much easier just to fire middle managers for prima facie reasons.