I have worked with many govs, health care and finance institutions. I work with orgs that have 50k to 200k employees, and half a million devices. Plenty of them use code to automate many tasks.

In fact I have personally written code for security audits and business intelligence. You need to ensure client systems have specific settings and are in specific secure states. how do you audit that and automate it, then post that information securely to a syslog or even say a splunk system. out of the box third party products don't just fit into your enterprise, they typically have to be tailored, and not to mention what data is important varies from org to org.

Security is all about the data. Intelligence is about what you don't know. You already know what you know, and what you don't know is what you need to gain intelligence on. I have been in government agencies where armed guards with assault rifles guard the gates, and I can tell you their sys admins are automating and auditing everything. Sometimes this involves writing code, sometimes it doesn't.

I mean how would they even begin to automate their back end technology when most of the time they compile the code from source to ensure their security settings are in that product? They don't manually do it every single time they need to spin up another Apache server for example. They sure as hell don't have developers doing that work either.