How it happens
Many participants in the market try to shift some of the problems of protecting IT onto their users. Security awareness is an important component, but it is only ONE component and should transport awareness according to responsibility.
A CIO, an AD administrator, an accounting staff member - each must have awareness of the remaining cyber risks to their area of responsibility.
Distinguishing between products that always protect versus products that only sometimes protect is not straightforward.
Unfortunately, far too often secondary factors such as ease of contracting or pretty administration interfaces contribute to decision making. These secondary qualities, however, do not result in a core product that truly understands „security“ and adequately implements the product‘s protection goals.