My experience as well, my background is enterprise development - mostly what would be classed as the M in SME (Small-Medium Enterprise) with forays into the big E and all of them fell down on even basic security in so many many ways.

Example: at the largest place I worked (5000 staff, 200 in Dev/QA) I found out by accident that the outsourced devs where using personal laptops when in a sprint meeting I asked where someone was and got back "His work machine died, he's nipped home to get his personal laptop".

That company constantly raved about how good it's security posture was...

I spoke to my oppo number on the IT/platform team and his response was "yeah we know that happens, I've been trying to get them to ban it/make it impossible for a while".