What do you do when a business won't follow your cybersecurity recommendations?

You are there to advise the business on cyber risks.  If the business understands the potential impact of the risk to the business, you've done your job.  Do document your recommendations and their responses for your record.

Recommendations should always have details on the risks or impact if the recommendation is not followed so everyone and businesses are aware of the potential implications based on their decisions

You have to treat those situations with the same disposition a doctor would have. I've done over 200 assessments around the globe, often in organizations that are seen as mission-critical to the country they’re in. It’s often a massive enterprise that’s responsible for the country’s gross domestic product, so I don't take it personally when they take my report and put it on a shelf. I did everything I could; I learned about the system and its makeup. It’s just the nature of the beast.