The voices with common sense are removed vertically and horizontally in the organizational structure.
Concrete example: The compliance department in a different country mandates that all passwords must be salted (great) and use modern hash algorithms from a whitelist. That whitelist consisted mostly they sha2 and ripemd family. We were using bcrypt to hash passwords, which is an actual password hashing algorithm instead of a general-purpose hashing algorithm. Since we were organizationally so far removed from the compliance department even escalating the issue several management levels had no effect other than being told "compliance is important, don't waste time on meetings about this, just change it" and "this is not a hill to die on". So we worked around this by using scrypt instead (which is not in the whitelist but based on a hash in the whitelist) but the asinine policy is still in place because it was considered too much effort to get them to change it. Of course the next team that wants to implement a web service with passwords will face the very same issue and may take them by their word and use SHA2 directly. Great success.
Concrete example: The compliance department in a different country mandates that all passwords must be salted (great) and use modern hash algorithms from a whitelist. That whitelist consisted mostly they sha2 and ripemd family. We were using bcrypt to hash passwords, which is an actual password hashing algorithm instead of a general-purpose hashing algorithm. Since we were organizationally so far removed from the compliance department even escalating the issue several management levels had no effect other than being told "compliance is important, don't waste time on meetings about this, just change it" and "this is not a hill to die on". So we worked around this by using scrypt instead (which is not in the whitelist but based on a hash in the whitelist) but the asinine policy is still in place because it was considered too much effort to get them to change it. Of course the next team that wants to implement a web service with passwords will face the very same issue and may take them by their word and use SHA2 directly. Great success.