[Joeboy]

To be fair this is HN and that's undoubtedly true of most startups. But from my experience large, established, boring companies spend a lot of money on covering themselves against this sort of thing. Or at least on CYA security rituals. If they have money to spend on security theatre, why not try to sell them something that actually works?

[794CD01]

I would speculate that it's because they are more concerned with checking boxes for their auditors or insurers than they are about the actual data. As for convincing the KPMGs of the world to take security seriously instead of calling for security theater, well, "It is difficult to get a man to understand something, when his salary depends upon his not understanding it".