I am not surprised. You already know that security is viewed as an expense rather then a benefit by many managers.

Even if they are "advanced" in their thinking and actually have a security person, they usually don't allow that person to do security work all the time. In another lifetime I was assinged to Internetworking Security for $VERY_LARGE_INSTITUTION; I did get to do some fun stuff and actually tracked a hacker once, but most of the time we did monkey work.

Also don't forget there is my FAVORITE phrase of all:

Now what surprises me is that you were shown source. A few companies I worked for would terminate you for that.