What are some fundamental issues that impede cybersecurity?

There is soooo much money to be made hawking the latest and greatest cyber-panacea, that it becomes difficult for corporate security staff to tell which products are security theater and which are actual security benefits.

We get our industry and governmental alerts, CVE reports and so on, but these outlets tend to be very tactical and part of a short term response.  

Crafting a long term strategy that has the flexibility to morph as the security challenges change is the real hard part.  Almost all of the notifications I see about adapting to future challenges are paid for by a vendor that has clearly solved the entire problem and no one can survive without their product (sarcasm).   It’s hard to focus the limited budget and staff on the long term issues.

Doing product pilots is time consuming and requires resources from operational teams.  The clock is still moving and the aggressors are tuning up for the next variation, but we’re trying to decide which products have real value for actual security.

The lack of "easy and straightforward" answers and the digger you deep, the more the uncertainty grows. Moreover, there's rarely an easy solution for any open security issue you are facing -- and if that's the case, you are probably not doing your job because the easy stuff should have been already done anyways. 

The perception that security is a binary number, either you are secure or insecure, when the name of the game is a risk management exercise.  But cybersecurity is still a relatively a new field.  We lack history data like the insurance industry. Probability is a gut feeling for the most part.  It is hard to tell when there is enough security.  As a security practitioner, I think we will continue to be in this state for awhile. 

1. That there is a "silver bullet" that solves everything.
2. That cultural view that Cybersecurity is the responsibility of the "Security Team" and not "everyone"
3. That there is no real ROI for investments in Cybersecurity.
4. That until something bad happens, there's not enough budget or focus given

5. That there are just as many "snake oil sales men" out there now as there are actual practitioners.
6. That to be considered "successful" in the cybersecurity space, you have to be well-known and  have a lot of followers on social media.

Technical debt for existing and legacy systems that requires investment and collaboration across all roles to advance systems to modern state of protection, detection and automated remediation.  As others have cited, it is not about security being alone, it requires ownership and participation from all roles.