The rise of machine learning and deep learning capabilities has dramatically increased while the barrier of entry introducing these into your software stack has decreased. A small tech firm today can offer capabilities that benefit from learning/inference applications without necessarily needing a data scientist on staff and it's safe to assume they might not have a security engineer on staff either. Much of the ML/DL applications used today were originally designed without considering potential adversarial threats. Even at a large company it shouldn't be assumed that data scientists are fully aware of the potential security risks to ML/DL applications and I believe that for most security professionals there hasn't been a significant issue yet within ML/DL to put these systems on their radar. This leaves a huge opportunity for hackers to do a considerable amount of damage before reactionary counter measures are taken within the tech industry. I generally find, especially within the security industry, that it's 95% reactive and 5% proactive with most proactive capabilities existing within the more wealthy of businesses.