1) The people who built the site initially are gone. Even the people who hired them to do it are likely gone now.
2) The person paid to "maintain" the site is just a technology "manager" who doesn't really know all that much about how it works.
3) There is nobody at the company who can tell if the "audits" they are paying for are snake-oil or not, but they're expensive so they must be good.
4) Even if the threat is real, they don't even know where to start in assessing it so they just fall back on their expensive "audit".
This leaves them unable to tell well intention-ed do-gooders from Nigerian princes so their initial response of just blocking them might not be that far fetched. It does start to look increasingly bad when it becomes clear that there is a real problem at hand. The quality of management can be measured by how quickly they identify the blind spot.