Because the people with purchasing authority know nothing about security, they are unable to distinguish real, good security practices and products from defective, over-hyped, and/or pointless "security" products constantly shilled at them.
A lemon market will be produced by the following:
1. Asymmetry of information, in which no buyers can accurately assess the value of a product through examination before sale is made and all sellers can more accurately assess the value of a product prior to sale
2. An incentive exists for the seller to pass off a low-quality product as a higher-quality one
3. Sellers have no credible disclosure technology (sellers with a great car have no way to disclose this credibly to buyers)
4. Either a continuum of seller qualities exists or the average seller type is sufficiently low (buyers are sufficiently pessimistic about the seller's quality)
5. Deficiency of effective public quality assurances (by reputation or regulation and/or of effective guarantees/warranties)
I think it's a bit more complicated than not knowing anything about security. It's more that security spans most other disciplines and security companies tend to focus on a subsection. In order to understand if a technology fits your use case and is effective often leads to long PoCs or trusting analyst, costing you time and/or money. Fun fact, most analyst firms like Gartner rarely touch a product and rely on the vendors to answer questions and send demos. It's very much a market for lemons because it's hard to actually test vendors' claims without a significant investment.
No, they do not know anything about security. Find me a CISO or VP of engineering that will dare to openly claim they can protect against a hacker/red team with $10M and would accept a challenge proving that. Frankly, I doubt you could even find one at $1M, let alone $10M as most Fortune 500 CISOs my colleagues and I have talked with usually peg the number at closer to $100K. Attackers with literal chump change like $10M are viewed as impossible threats, it is ridiculous. The entire commercial IT industry is systemically incompetent by multiple orders of magnitude with respect to actual software security.
Why would anyone who knows security make that claim? There's so much more than just software security. Even if you secured every bit of code your company wrote that wouldn't make you secure. How much does solving for every OWASP top 10 vuln help when only 10% of your product is software your devs wrote? What about the open source libraries or non software parts of the business? You can't run a company without using some amount of 3rd party software or having at least a few employees that need to communicate using chat or email. While I'd agree there a lot of incompetence out there, I think the problem is much harder because there's a lot of variables out of your control. Now we're back at the original problem of how do I try to control for people and vendors I have to work with and there's a huge imbalance of information.
If your dependencys are out of your control then you are incompetent at security, full stop. Wrangling your dependencys and inputs is security and engineering 101. You will not get meaningful security without doing so. Being unable to do a critical part of the job because it is hard is textbook incompetence.
Everybody everywhere in software being totally slipshod on these elementary practices is a big part of why there is no meaningful security anywhere.
In other words, "cybersecurity" is a "Market for Lemons": https://en.wikipedia.org/wiki/Market_for_lemons