There's a well known phenomenon where if the infosec division of a company is working well, it's not obvious at all to management, because no leaks are taking place. So their budget gets cut. And then the data leaks/breaches happen.

Once a leak happens, the infosec division gets free reign for a few years. Until a new manager goes all "you guys don't even do anything!", and the cycle repeats.