This happens all the time, not just in cybersecurity domain. A common example is new system development based on business requirements but the delivered system is not usable practically or need many human intervention in the process. There are many contributors:
- Business requirement is generically spelt out, it is hard to indicate UI/UX in a formal specification precisely
- The business requirements are not well understood by the system developers, they think from the computer perspectives rather than the process perspectives
- Business representatives participate in the development do not fully understand current process
- Test cases lack of real life cases to validate
- the list goes on …
Similarly in cybersecurity, policy maker and execution of the policy will be misaligned if the policy maker does not understand exactly the floor operation. Don’t just copy/paste text book knowledge to lay down as policies. If you do, it would be disaster.