Or often managers who are very concerned about doing the right thing but don't have an expert that they know/trust and so rely on their understanding, which is probably based on the horrible finance sites they use.

I once spend several weeks having meetings where people tried to develop a login management process on a whiteboard from first-principles — in the federal government where the right answer was “We'll follow the central security group's required process” – because they didn't have a security consultant but knew security was a Really Big Deal and didn't want anyone to think they weren't thinking about it.