The one who makes decisions has regular financial support from Bitrix ;) or was simply fooled by his salesmen.

Because it's certified.

First of all, safety and constant support of the product
https://www.1c-bitrix.ru/products/cms/certificates...
Certified by FSTEC
Certificate of Conformity No. 3260 FSTEC of Russia
FSTEC certificate - Federal Service for Technical and Export Control of Russia) confirms that that the product complies with the requirements of the governing document “Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information” (Gostekhkommissiya, 1992) according to the 5th class of security.
1C-Bitrix products and solutions received new certificates from the FSTEC of Russia. Learn more
Secure Web Application
Secure Web Application
The certificate was issued by Positive Technologies, which audited the effectiveness of the new security features of the 1C-Bitrix: Site Manager 8 product. Testing of the built-in protection mechanisms of the product confirmed their compliance with the requirements of the Web Application Firewall Evaluation Criteria of the international organization Web Application Security Consortium.
Compatible with eToken PASS
Compatibility certificate for electronic keys eToken PASS
The certificate was issued based on the results of certification tests conducted by CJSC Aladdin R.D. and 1C-Bitrix. The certificate certifies the correct operation of eToken PASS electronic keys produced by ZAO Aladdin R.D. with the software product "1C-Bitrix: Site Management" version 8.x.
Checked by hackers
Checked by hackers at CC2009
At the CC9 hacker festival, 1C-Bitrix and Positive Technologies organized a competition, the participants of which had to be able to bypass the site's Proactive Defense system and take advantage of various types of pre-prepared vulnerabilities. More than 600 specialists tried to cope with the task of the competition - to bypass the Web Application Firewall filter and exploit the vulnerabilities prepared in advance on the site (SQL-Injection, Cross-Site Scripting, Path Traversal and Local File Including). During the two days of the festival, more than 25,000 attacks were registered and repelled.