Mainly vendors. They'll often drive towards profit and only do what's required or industry standard for their information security or the security of their products - no need to go above since for them that'll just be more costs and less profit. Think the commercialization of products selling security features with special names and marketing frills like 'military-grade' - no innovation when you are doing the same thing as everyone else.

iPhone sells their phone as the most secure when in practice an Android (Pixel) are both extremely similar in their implementations (default disk encryption, private messaging app, permission controls, a secure element etc.), just an example.

A lot of the best results come from groups like this I think. It's likely why Apple and Google (Project Zero) have their own dedicated teams for these things too.