Hi Lars
It looks like Christian posted his comment before me but it's similar experience for me...
you are right - quite a few SAP Security consultants come from authorisation only background and, event then, struggle with securing the application layer with the objects (think RFC connections and system users with SAP_ALL).
What does not help either is sales/business development teams selling clients project implementations and ignoring security from the costing or requirements. It's seen as a Basis task and that's about it. Security becomes a built to budget or leave as vanilla as possible.
Most convincing comes when the auditors are skilled enough to identify the issues and make recommendations. But then management will see the $$$ required to fix it and baulk at the amount. This progresses to the equivalent of an insurance policy - unless there has been a violation/attack they don't see the need to invest in proper security.
Regards
Colleen