Pentesting findings don’t get fixed for a number of reasons. Some of which are out of the IT teams control.

But also, many many IT teams are burnt out putting out so many other fires and working on other “more important” projects handed down to them by management that they don’t have time to fix security issues.