This story explains why every workplace safety exam I ever took had at least one question similar to "who is responsible for fire/machine/... safety" where the only correct answer was "everyone".
This goes for computer security as well, but in practice without at least a voice in the management security will get axed on every turn because it is seen as all cost without benefit to the company. This is changing slowly, mostly on account of the GDPR, but it is still the prevailing view.
