I disagree with you on the "most people who work in the sector have no clue" statement. People have long known about IT security issues. It's not like things like "sub7", "winnuke", "nimda", "code red", etc. weren't issues.
We've long known about NTLMv1 issues and it was strongly recommended as a hardening practice as early as 2001/2002 when Microsoft implemented it.
The issue has never been "nobody having a clue", but more like, "Management not giving a shit". Yes, the state of information security is atrocious. But that doesn't stem from the IT guy so much as it comes from having to approach management, "Hey; we need to upgrade to this system to improve our security and reduce our risk."
Blame IT for not being able to put it well, or blame them for not being able to play the social game well enough to get the boss to want to listen to them over their friends. But in some cases, you really don't have much leg to stand on. Even if you were logically correct, even if you were on the boss' good side; the reality is the guy who says "NO DON'T UPGRADE JUST STICK WITH WHAT YOU GOT AND THROW THIS LITTLE BOX IN FRONT OF EVERYTHING!" is going to win--all of the time, for the simple fact that he appeals to the boss' wallet.
Telling business leaders they need to not only spend money in IT, but spend it repeatedly and regularly, is something that is almost never going to go over well. And it's something that's needed to keep up. The "bar" itself is constantly moving.