It's really difficult to audit all this stuff. I was at a health insurance company where someone used su to go to a different user on a box they had root on and it did get picked up by the security team, but only a few weeks after it happened.
I was offered a security job at one shop and turned it down, keeping my development role. They had 3 security people for the company (total IT size was 500) and it involved a ton of log parsing, DDoS work, and they were starting to develop an internal white listing application tool. They wanted to bring me on because the desperately needed a developer to add some automation parsing the important from the chaff. (A younger me would have probably done this back when I wanted to be a Pen-tester. I only got interviewed/offered the position because I made the mistake about talking about going to Defcon on a company Slack channel and the security guy insisted I interview).
I was offered a security job at one shop and turned it down, keeping my development role. They had 3 security people for the company (total IT size was 500) and it involved a ton of log parsing, DDoS work, and they were starting to develop an internal white listing application tool. They wanted to bring me on because the desperately needed a developer to add some automation parsing the important from the chaff. (A younger me would have probably done this back when I wanted to be a Pen-tester. I only got interviewed/offered the position because I made the mistake about talking about going to Defcon on a company Slack channel and the security guy insisted I interview).