Because the benefits of not following the rules accrue to the individual, but the cost is spread out over the group as a whole.
So, the real question is, how do you get out of a tragedy of the commons situation?
Carrot vs stick
There are two ways. You can use the stick strategy, which would be a benefit to the group but a cost to the individual, or a carrot strategy where there is a benefit to both. Most security thinking up until now has been of the stick strategy: “You must do this, or else lose your job.”
But there’s a growing appreciation that a carrot strategy works much better. If you can come up with something which is a benefit both to the group and the individual, those rules are much more likely to be followed.