Exactly, @JoePete.  Industry wants the benefits of technology, but none of the discipline the technology requires for its preservation, protection, or continuity.  

I wrote a post-mortem presentation for senior leaders at a previous employer.  There had been a ransomware attack (spoiler alert: the bad actors may have encrypted our infrastructure, but insurance paid for remediation, backups were used to restore ALL data, and the miscreants didn't get a penny).  In the post-mortem I noted the attack (phishing email, users with too much privilege, a public-facing RDP server), and described what it would take to reduce our attack surface, and improve our data health and resilience.

I didn't ask for much in the presentation, either.  The response had already improved our infrastructure, it rapidly mitigated our patch status, increased our defense in depth, and we were already planning to make the backups more redundant -- because we knew what the saving grace was.  I just wanted a mandate from the executives, now that we knew what was at risk.  IT needed visibility, and it finally had some.  I went the meeting expecting their due care and due diligence.

There are eight executives with the company. Only three came to the presentation.  "It looks like we have hurdles to clear, and thanks for putting this together.  I sure am glad we had insurance," and with that, the meeting ended.

As mentioned earlier, in the absence of any other authority, compliance goes a long way.  Insurance companies are literally experts in stanching losses.  They are fully aware of NIST.  They could easily demand minimal compliance with the CSF (or hell, the SANS Top 18 if they really want to phone it in!) to ensure demonstrable compliance with such standards.