This letter was posted today....and it could have been sent to our management. (It's not.) Many of the points echo exactly what is happening here. I would say, the biggest excuse I hear is that management does not want to disrupt the corporate culture in implementing security controls.
I fear that a breach or severe incident will be the catalyst for change and implementing controls. Yes, I've had many small wins, but there is lots to do.