They have to keep up with new technologies, all of the new security potential vulnerabilities are frequently too difficult to keep up with unless that is your full-time job is security. Also the concept of attacking one’s network with multiple “pairs of eyes” is also a good thing.
Most IT departments get burned out and after some time just “soldier on” with the environment as it is. “Damn the torpedoes – full speed ahead” .
One thing I have learned is that the attackers are already here – they have infiltrated your network, and are attacking non-stop looking for your weaknesses. what you need is to make sure that the IT department is doing what it says it does.
The only question is how bad is it?