They don't want to do their job well. They want to look like they're doing their job well, to people who don't know how to do the job and whose metrics are completely divorced from actual merit.
That’s a common misconception taken from an engineers perspective but you have to understand their job isn’t about engineering, it’s about risk mitigation. And when viewed from that perspective, they are doing their job.
The real problem is that the domain has gotten so complicated that a traditional risk mitigation approach to is an outdated role and is now better fulfilled by technical staff who specialise in security. But that’s an organisation problem caused by senior management (C-suite and above) rather than a particular individual in that specific role not doing their job well.