While this may be true most of the time, there are cases where the CEO has taken full responsibility. A podcast [1] by Darknet Diaries on a breach in 2015 at mobile provider TalkTalk in the UK tells of such a case.

[1] https://open.spotify.com/episode/4fihCSOPKrIDXPB2azNgOc?si=3...