management simply doesn't want to be responsible for it

That sounds dysfunctional. The purpose of management is to manage risk, not to avoid it. A proper manager would be able to quantify both the risks and the costs, present those figures in an easy overview, and then be able to defend their decision (or advise higher management) using that.