Hiring a person and training them for the role is going to be quite a lot cheaper than finding that rare professional, who's going to command a very high premium.
Which means that at least one of the following things is true:
1. You're not willing to pay enough for an individual who's a perfect fit.
2. You're not willing to hire someone who's not a perfect fit and spend money to train them for the role.
3. You've done the math and concluded that the cost of doing either 1. or 2. above is higher than the value brought by actually securing these applications (who's doing it now? nobody?)
So in cases 1. or 2. it's entirely your company's fault, and in case 3. it's nobody's fault and you don't actually care about the end result. It's an evergreen listing for a job that you already decided shouldn't exist.
It's very difficult to train somebody for a competency that's lacking in the organization. Could you train up a DBA or React expert if you had no expertise in those subjects?
I didn't claim it was anyone's "fault" - OP asked what type of engineer is hard to find, and I answered. Obviously #3 is the real truth, which is why IT security is and will continue to be a nightmare
Hiring a person and training them for the role is going to be quite a lot cheaper than finding that rare professional, who's going to command a very high premium.
Which means that at least one of the following things is true:
1. You're not willing to pay enough for an individual who's a perfect fit.
2. You're not willing to hire someone who's not a perfect fit and spend money to train them for the role.
3. You've done the math and concluded that the cost of doing either 1. or 2. above is higher than the value brought by actually securing these applications (who's doing it now? nobody?)
So in cases 1. or 2. it's entirely your company's fault, and in case 3. it's nobody's fault and you don't actually care about the end result. It's an evergreen listing for a job that you already decided shouldn't exist.