Tyson is an A#1 example of a pompous ass out of academia.
Mtnbkr brings up good points though. I have no experience in private sector IT security, but in fed.gov, we did annual security inspections involving scans and inspectors physically coming out to look for holes - everything from improperly configured equipment, to visitor logs, to people going to the head and leaving their CAC plugged in. I forget which DoD protocol it was, but it generated POAMs every year (basically a list of crap that had to be mitigated). The end responsible person was each agency's head, generally an Undersecretary.
All anyone ever cared about when mitigating POAMs was, "How can we respond that this actually isn't a problem that needs to be fixed? If we can't do that, what's the quickest and easiest workaround to check the box that the POAM was fixed, even if it's really not?" Mitigating security holes was all about doing the least amount of paperwork and having the fewest POAMs so that your agency CIO wouldn't look bad when reporting to the Undersecretary. Actually fixing security holes was secondary.
In some defense of the people who wanted to sweep stuff under the rug, the entire POAM process was such a big boondoggle of time consuming reports and paperwork, that you spent more time talking about problems than actually fixing them. If the procedure is similar in large private sector companies, I can see why they have security holes.