IT decision makers have a very difficult job. They are often asked to make technology decisions on subjects for which they may only have cursory knowledge. Then when things go wrong, they are responsible for dealing with the fallout of those decisions.
It’s one thing to make a mistake when deciding on something relatively trivial, like picking out what kind of PC to buy. You can easily address shortcomings for a disappointing solution. A PC that isn’t powerful enough can get more RAM or can be upgraded to a bigger hard drive. However, when it comes to making decisions about security/risk, the stakes are much higher.