In the US at least a lot of organizations and most homes have piss-poor locks that are a lot easier to pick than their IT security is to crack. I'm not saying you're wrong, but it's not the best analogy.
We lost the key for the bedroom window the GF seemed positively shocked when I took a small flat-headed screwdriver and 'picked' (I use quotes because it wasn't really picking since I only had to push in two places and the lock popped) it in under 90s.
A lot of security is visual deterrent and to make legal clarity in the instance of "Did you enter the room or break the lock then enter the room?" since former doesn't imply criminal intent, the latter does.
But that's commensurate with the apparent risk. You don't have someone walking up to your office or home door and trying to bump the lock every 30 seconds like you have on, say, your SSH port.
If there were as many offline crime attemptps as there were cyber crime attempts, you would definitely see more investment in physical security.
Furious agreement that locks aren't a great analogy. I'd hazard that for most organisations locks are actually to remove temptation from employees; and the quality of the lock is largely irrelevant.
A lock is only as good at stopping someone entering as the windows and doors are resistant to being removed. The advantages to locking something are:
* There is evidence that the door was forced after the event
* Very clear signaling of who is and isn't supposed to have access to a room.
Unless serious money is spent, I would expect that locks are delaying access by a matter of maybe up to hours. If IT security were that poor, the world would look different. A better analogy would be spending the money on security guards.
I locked myself out of the house one day and called a locksmith. It took him less than thirty seconds to pick the lock on my front door.
You're right about the signaling aspect, though. You can't very well pretend you didn't know you were supposed to be in a room if you had to get past a locked door to get in.
Except when organizations decide it would be too much of a security risk to give every authorized person keys/cards, or doesn't do so in a timely manner. Then the one designated key-holder is too busy/important to personally let everyone in, so the "secure" door gets propped open and/or opened in response to a knock from anyone, authorized or not. When low-level but authorized staff need access to further secure spaces, they start by tracking down someone with higher access privileges to borrow a card from. People with high-privileged access then start to reflexively toss their credentials to anyone who asks, because most of the time the request is necessary.
Super common with event venues during rehearsals and preparation (below the level of production value where there's a security desk checking IDs).
My locksmith didn't pick my lock. He asked if I wanted a show of lock picking or my door open. I said open. He turned the doorknob, held it on the stop, leaned on the door, slid in a thin plastic shim, and turned the doorknob the rest of the way.
Yeah, a total amateur can learn enough to pick the locks on most homes and padlocks with a grand total of about $3 worth of tools and an hour or two of experimentation.
Now, some businesses use better stuff - Abloy or Medeco stuff, but many still don't.
A lot of security is visual deterrent and to make legal clarity in the instance of "Did you enter the room or break the lock then enter the room?" since former doesn't imply criminal intent, the latter does.