Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth.

The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around.

What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for?

99% of cybersecurity in the commercial sector is a box checking compliance exercise.

Most companies sadly don't care about security whatsoever.

There would not be such a proliferation if cybersecurity were a well-respected field.