One of the problems with incompetence, of which there are many, is that it gives bad actors space to operate. From a security point of view I don’t think the distinction matters all that much.

That said, the situations I’ve head about were from affiliate ransomware attacks that didn’t make the news because the backup worked. It’s difficult to keep things secure from highly motivated internal bad actors. I’ve been told it’s an increasing trend but have not heard much about it publicly.