The root-cause is almost universally greed and stupidity among the higher-ups, leading to
- IT security people that are overworked, unappreciated and came from the pool of "cheapest possible"
(as a result, everybody hates them, because they do no good, but prevent people from doing their work)
- Lack of IT security people
- Developers of security-critical software being "cheapest possible" or outsources in the same quality-class
- System-administration being outsourced or overworked, and again "cheapest possible"
- Bad work environment, so anybody really good leaves and the rest stop caring about the company
- A culture where security must never stand in the way of earning money
- A policy of "shoot the messenger" often also contributes a lot.
If you think that Marissa messed this one up, then you are right on target. Of course she had help from the rest of the company "leaders" and Yahoo was in pretty bad shape even before she took over. Years back I had a domain with them, and 23 (!) different tech-support people did not understand what I meant when I wanted to run my own DNS servers. That was the last time ever I considered doing business with them.