Untrue (in general). The CSO is frequently given lots of budget and authority. Having talked to some of the big bank executive teams, they have thousands of employees and hundreds of M$ budgets with wide latitude to enforce restrictions. It is just that the best commercial cybersecurity processes and “best practices” are useless against professional attackers with even minimal budgets and staff.

Any technically competent CSO knows they are totally screwed even if they implement everything feasible perfectly (i.e. no inane solution like shutting down the whole company). It is not a problem of resources or commitment (though you could also have those problems), it is a problem of impossibility due to the incompetence of commercial IT cybersecurity processes.

The only way to survive in a environment where you literally can not do what you were ostensibly hired to do is to lie and take the fall. The only other alternative is being too stupid to realize you are screwed, but every bank cybersecurity executive team I’ve ever met knew that someone could go in and steal all of their documents for less than 1 million dollars (you could also change things, but the out of band cross-checking makes that hard without intimate knowledge of the specific financial checks, more a question of knowing how banks work than hacking, the 1 M$ gives you full access rights, but you need to be careful not the drive the tank through the wall of the general’s office).

This changed a lot in my perception. Security teams have now more authority — and it's driving everyone else nuts.

Back in the day there were moderate bounties offered ($100s) for finding security holes. It was far more cost effective than organized security review and testing.