In 2016, the New York Times hired former hacker Runa Sandvik as their Chief Information Security Officer for the newsroom and journalism operations. Last July the paper published a Times Insider profile on Ms. Sandvik.
On October 22 Ms. Sandvik tweeted that the NYT eliminated her role at the paper, saying the paper "stated there is no need for a dedicated focus on newsroom and journalistic security."
So, one of the most high visibility news organizations in the USA, if not the world, is not worried about implementing two factor authentication, or training the news staff on phishing attacks, or implementing safeguards to protect the confidentiality of reporters' news sources.
"Information Security is critically important to The News York Times, which is why we recently hired our first chief information security officer," the [Times] spokesperson stated. "While we don’t comment on specific personnel decisions, the restructuring of our InfoSec group that was announced yesterday is fully consistent with strengthening The Times’s data security protections in the newsroom and across the organization."
Incidentally, Runa Sandvik's title was "Senior Director of Information Security", not CISO.
Money is the issue. Newspapers are hemorrhaging money. If your aren't the advertising wing of the publication you are a financial liability. Add in the fact that security isn't a problem until you are hit then why pay for a CISO. They are willing to take the risk in the short term to gain stock value and market share.