Generally, input as to what would be required for the organization to be in compliance came from outside regulators and auditors who probably knew less about IT, and certainly knew less about the business, than the organization itself did. A somewhat natural response was to push back on these requirements, deny that they had validity, and hope that they would go away. By the time many organizations finally got around to doing something, the time was running short. So they did the minimum needed to comply, or more pragmatically, to pass an audit.
Almost every day, I talk to someone who is in this boat. But compliance is not a one-time fix, and so many folks are starting to come apart under the pressure, or have gone the other route and given up, hoping that they will get lucky, and no one will notice. There is a middle ground, though, which involves a more long-view, user-centric approach, that while it certainly is not painless, it can be a lot easier than many make it.