There's a funny corporate culture that I have observed in Kenya that could shed some light on why local IT systems appear so vulnerable: TALENT COMMODITIZATION.
Take the banking industry for example, I recall a while back seeing some chatter on twitter about how big brands UNDERPAY key IT staff (I.e. the hands on technical staff like sysadmins / app admins / dbadmins & devs) in order to "save" on manpower costs. In this day and age that is not an intelligent thing to do.
Others assume that outsourcing to India will magically solve for costs, quality and security. I have worked on projects with "world-class" offshore teams and what I saw was a minefield of HIDDEN COSTS if you don't have your own savvy supervisory / QC team.
Then there is the "contract fixes everything" fanatics. Contracts mean nothing if you can't detect shoddy work - and if going to court after the fact is almost impossible given risks of PR blowback (in image sensitive industries). In many cases such contracts are just for CYA (avoiding blame or passing audit reviews).
Some tradition-heavy institutions still put IT under Finance directors / VPs or GMs instead of having IT representation at board level. This makes it hard for IT to push back on top-down "spreadsheet inspired" directives. You don't increase shareholder value by setting up your critical functions for downstream failure (or putting the entire org or at risk just to hit annual growth targets).
Beefing up the Infosec unit is pointless if the underlying architecture is full of holes. There is only so much duct taping that can be done. Worse if that team is underpaid as well.
It's also interesting that many local companies don't have a "specialist path" for technical talent advancement. This limits the political/decision making clout for technical talent as well as limiting their personal growth. Hopping / side hustling / track switching (e.g. to management) is the end result.
These mistakes have cost the financial industry (for example) a whopping 17BILLION in potentially avoidable losses (and still counting).
So much for HR "cost savings". :-/
I think the Infosec crisis in Kenya is just a SYMPTOM of bigger "organisation and culture" issues - and short term thinking is right at the heart of it.
"Financial institutions in Kenya have recently become a soft target for cybercriminals, with police records showing that they lost about Sh17 billion to the fraudsters in 2016, up from Sh14 billion in 2015."
https://mobile.nation.co.ke/business/Police-probe-130-bank-cyber-fraud-suspects/1950106-4959008-12vounp/index.html