Having been with 14 different companies/agencies I see the same repeatable pattern:
1) Poor patch management
2) Outdated IT and Security tools
3) Lack of modernization of infrastructure
4) Poorly trained or (satisfied where they are ) workforce
5) Users, no matter what the security training provided, who will click on an email that entices them.
Complacency yes. Not upgrading tools because "What we have is working." "We haven't been hacked yet!" "We're too small. No hacker would want to come after us."
You have to have bold leadership too that can inspire a workforce. You have to have finance departments willing to spend money BEFORE a breach happens, not just release the purse strings AFTER an event happens.
And if all that fails, if you have a motivated attacker, they can eventually find a way in.