I teach information security classes at the college level and one of the things that always comes up is the need to get management to understand the necessity and value of information security. At a root level, it is vitally important for management to understand the core principle - that information is an asset and needs to be protected as such.
I am convinced that many leaders have not really understood this principle. They often do more to protect the office furniture in their organization than the do the social security numbers of employees! While some may do this intentionally, I think most do it out of ignorance, since they don't really realize how valuable some information is.
While the cost of protecting that can get high, many simple things are completely "free." That would include not using SSNs (or the last 4 digits of an SSN) as a default password or reset code for an internal system, especially if it will be stored somewhere in plaintext.
I am on a quest to educate management in this, though I have to figure out how to get through to them. That is the $64,000 question, as they used to say (based on the old game show). How can you get an audience with them and then make them see the importance of the basics of securing information using terms and phrasing they can relate to and that is compelling.
Hopefully I can work more of that in my future efforts.