I think you hit one problem and it may be one of the worst in security. Security, as so many other aspects in IT, is today seen as a "specialist" job which doesn't count anyone else - until something bad happens?

I remember teaching the first security framework in a big company long ago. It was supposed to be basically to a limited audience. Once the word spread, I had to have three more courses, people from all organizations and departments did want to learn about security, what and how it would work for them. I don't see that happening today, as I said, employees are told to execute something, not to learn about it, and it creates a "not my problem" culture very fast.

At least I have found that sharing information and getting people interested is always better to whatever my goal is than just giving orders which often look just more work for individuals.