This is concerning, but not terribly surprising. The adoption of a security framework only happens when an organization has a strong advocate on the team willing to move the process forward. Having the right resources is almost universally a challenge for organizations and businesses, both large and small.
Government entities and regulatory bodies are starting to force the issue for many organizations in the form of audit findings and requirements. PCI, FFIEC, HIPAA and others are asking the question and expecting an educated answer.