PCI compliance requires we change our login passwords every two months. This to me seems to just encourage users to create insecure passwords and sticky notes with them written down somewhere in/on their desk.

Put yourself in their shoes though. The people at the top don't really understand security, other than the vague "only the right people should have access to stuff" requirement.

I think the problem is that the people in charge of making decisions are gun-shy. Because of their inability to properly evaluate the security itself, it's also very difficult for them to properly evaluate people telling them what the security system should look like, and they've been burned by bad decisions in the past, so they take the "lalalala do nothing" approach and hope for the best. From their point of view, it's a perfectly reasonable approach to the problem.

maybe this loud PR thing will go up to the people in charge and stuff could be actually resolved at the root? Or maybe it will just be forbidden to tweet about internal policies in the future for security reasons, NSA cover style.

I was hoping the Target CEO firing/resignation due to security issues would spark a little bit of security interest from other companies, too.

Target was bleeding money in Canada expansion. I doubt the data breach was the only central issue.

He's getting $55M to leave. Sounds more like an encouragement to do stupid things to me.