90% of businesses have basically zero IT security. Leaked passwords in regular use and no process or verification for password resets. As soon as someone complains that 2FA or password rotation is difficult it gets dropped. Virtually all company data is stored on USB keys, plaintext hard drives and on staff's personal home devices.
The reason they're not constantly having their data stolen is because no-one cares about the companies either.
We have a custom backend website I have to log in for my work. You don't have to use a password, just an email address. The only "security" is it's on a weird URL that people wouldn't likely know if they weren't given it.
Which might explain why medium sized companies that are not completely clean-nosed are happy to run Windows 10 with all its spyware elements running unregulated.
It's also terrible in the government sector, which is why the NSA's huge database on US internet traffic is accessible to rivals like Russia, Iran and China.
I believe Microsoft’s 365 platform helps a lot in that matter. Even without any security strategy or custom configuration M365 offers a better security level than those businesses could ever reach themselves.