I have observed visiting various companies, that security is blamed on everyone else. Management thinks the responsibility falls upon employees, employees to management, and management to either internal or external IT.
When something goes wrong, the IT department is the first place of contact. It is impossible for the IT department to know and how to fix everything, they usually can figure it out but it takes time and resources.
Everyone has a responsibility to stay vigilant. A simple click on a link, a download, entering your credentials into the wrong area can have detrimental consequences.
A culture of security is one of the inexpensive and most effective things a company can do to protect themselves. Management needs to take a leading role and stick with it.
You are only as strong as your weakest link.