I've seen this go from bad to worse. A company had a bad project manager they couldn't get rid of, and required a security person by law, so they promoted him. The idea was he would get kicked out of the company the next time a security boo boo happened.

It went a lot worse. The guy had no idea about security and no common sense, and did genius things like forbidding encryption in the name of security (so the network people would be able to do packet inspection for monitoring security). But he created a morass of paperwork, and made it impossible for any project to make any kind of progress without involving security. End user computers slowed to unusable speed as he threw in more and more snake oil security software. As his rules were vague, dumb, self-conflicting and very very time consuming, nobody followed them, so he could always point to someone not following the rules when a security boo boo happened. He grew his department like a mushroom, wasted huge amounts of money, and entrenched himself completely, all based on sweet talk and complete nonsense. I've learned a lot about office politics watching him.