Security, as far as a corporate entity is concerned, is fundamentally a way to reduce business and legal risk. A lawyer at the top, making those decisions with the input of technologists, seems like it should be reasonable when things are working correctly. This isn't a failure of skillset or knowledge, it's a failure of ethics and leadership. (Which should, to be clear, be punished far more severely than skill-related incompetence.)