In my experience, security is so far removed from the actual job description/day to day cares that it's perpetually "somebody else's problem", seen as an unnecessary time sink. Usually there's a couple of people that actually care, but they're ignored and lack the power to influence change.
Not lazy, just overburdened by more important things.
That seems to match what I've seen. Especially the last line. It's just so weird the dynamic between "pretending to care" and "actually caring." I've worked at or consulted on small teams that were very "lax" about security but everyone seemed to take it seriously so it "worked."
At larger orgs, I notice they take it "seriously" but that results in people finding creative loopholes... like pasting in all the important production keys/passwords into a google doc and sharing the google doc because they "can't send secrets over slack" ... lol
Not lazy, just overburdened by more important things.