[Bjartr]

I'm having trouble building an internally consistent response because of things like how "changing a password" is a trivial change, i.e. I'm struggling to take into account the hypothetical in a way consistent with your intent and with what reality would have to work like for the hypothetical, as given, to hold true.

Mind trying again with a different example?

[SilasX]

The smallness of the change doesn't affect the point I was making. [1] The point is that you can't simply look at the raw incidence rates and conclude that specific added countermeasures are unnecessary or irrelevant to the attacker's incentives.

If you agree with that, then you agree with my general point and it's just an issue of which specific countermeasures survive a CBA.

[1] In fact, I chose a small change specifically to highly the absurdity of being bound by low/declining attack rates.