Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?

Is it just a problem of too few security professionals, or are there other reasons enterprises struggle to build infosec teams?