Because the benefits are reaped well before the full cost becomes evident. By the time everything catches fire, the person responsible has retired into their Mediterranean villas and will never come back to fix what they caused.
If I don't install one of these system (and global IT) killing EDR systems, and I have a breach _I_ am responsible.
If my company requires it, and I install it and the entire network falls over, responsibility is passed to the EDR vendor. Everytime the EDR platform in my org kills an app, much of the reaction internally is "Oh well, at least we are protected. Let's open a support ticket."
"Security" software has been troublesome since the first AV platform was released. But the personal risk for management to not deploy it is high.
Yeah this allows outsourcing both risk and responsibility. The institutional risk that you take in exchange is acceptable because it lowers personal risk
Generally individual managers who make these decisions are acting as short sighted as companies they belong to. Along with that, Company interests and individual manager interests don't always align.
I've been plenty of places where individual manager comes up with some grand plan, implements it, gets praise and leverages into new job. Meanwhile, that plan never makes it past MVP and is massive tech debt that will weigh down the company but they don't care.
