Anecdotally, I know of at least one large FI that tells auditors it's doing x, y, and z for security, when in reality their security practices are abysmal. They spend $1MM a year on a vendor product that in theory does x, y, z (though quite badly), install it on a server, and then never think about it again.
I've had important projects canceled because executives go 'oh we already have $tool this project is a waste of time'. I demonstrate that $tool hasn't been updated in a decade, has 0 users, and is completely ineffective, and how the project will address these issues. They respond 'oh we already have $tool this project is a waste of time'.
You are not buying a solution, you are buying compliance. It does not matter if problem is either hidden or removed because the outcome for the executive success is the same. Hiding usually costs less.
I've had important projects canceled because executives go 'oh we already have $tool this project is a waste of time'. I demonstrate that $tool hasn't been updated in a decade, has 0 users, and is completely ineffective, and how the project will address these issues. They respond 'oh we already have $tool this project is a waste of time'.