This is largely correct. However, staff also need to be trained and drilled on security policies and procedures. That's often lacking, especially if security is outsourced to third party contractors.