ZDNet's Government IT blog asks why Federal IT security was so crappy. The post was spurred by a piece by Zach Goldfarb in the Washington Post that answered that question and gave some suggestions on what to do about it.
At the state level, security isn't a whole lot better. Utah spent a lot of time on it leading up to the 2002 Olympics because we knew we'd be a target (and we were). But even in normal times, government IT sites see more than their fair share of attacks. At the same time, IT security is one of those things that most leaders outside IT don't want to hear about because it's a drain on what they want most: accomplishments worthy of mention in the news.
You could argue that a big security breach is news and not the kind politicians want, but the media types that cover politics don't seem to be savvy enough yet to tie those failures back to the non-IT leaders and public policy. Usually, the problem is reported as a technical problem with no ties to administration policies. Goldfarb's article is a sign that's changing.
A good part of the responsibility lies with agency (or state or municipality) CIOs who have to spend the time and money to get security right even if it's not what their boss is pushing them to do. Ultimately, it's the things that's in the best interest of the citizens that are being served.