Based on systems I've seen, a little of both. I have yet to see a full implementation of app whitelisting and I've been in some places that use a completely flat network topology even though they have the ability to properly segment. The reasons I have seen for both these factors have been typically due to impatience and lack of training.
So ok we have this nifty layer 3 core switch with all these lesser switches. Cool lets set up VLANs so we can better secure our servers... 6 months later the ACLs have been all but removed because there are too many problems with traffic being blocked and rather figure out how to resolve, someone in upper management makes them turn off the rule that is blocking it.
We install a nifty enterprise level client side security suite. We run all the pieces (firewall, heuristics and regular AV). We figure cool lets use Application and device controls! Rather than follow the vendor provided whitepapers and set the system to logging only on your test group, you decide to just add MS Office apps but then nothing else is working... Rather than figure it out, you turn it off and only use blacklisting.
One more on Apps, patching... Well we use WSUS so all our problems are solved!!
"Ok so what about Java and Adobe patches?"
We don't patch those.
"How bout MS Office?"
Well WSUS does that right?
"No your WSUS is configured with default settings, you are only downloading Windows OS patches, you don't have Office checked off."
So with all that, your apps are not properly patched, your network is no longer segmented and your client-side endpoint protection is about as good as free AVG. I won't even get started on the unused IDS/IPS appliance
Most companies who don't invest in talented individuals to run their networks tend to have all the shiny tools but none of them are configured properly or at all. Back in the day, you would have to try very hard to crack the shell, but now you just need to compromise the human piece and then make your way back out of the shell. Our traditional methods of detection no longer work unless you utilize the added pieces and start whitelisting the network. Do not allow the unknown to run!
Or I am completely full of crap but that is for others to decide.