[zerkten]

> Most, if not all, companies do the bare minimum security they believe is necessary; anything beyond that is a waste of money and computing resources

This why we continue to have incidents and vulnerabilities which could have been prevented, or better mitigated. Most often these companies do not even know how to make a correct assessment of their risk. They move forward with this idea that it's a waste of money and resources, yet waste everyone's time with clean-up, or just go out of business as a result. Even with minimal security training and limited curiosity, this incident could have been avoided.

[sgarman]

Customers don't want to pay for it. You can easily run yourself out of business building a more secure system. We need to get people and customers to care first to make the economics work.

[zerkten]

Plenty of these measures are just basic professionalism. Some are relatively inexpensive (enabling MFA everywhere by default given the number of MFA options.)

Other changes are mildly annoying to developers, ops, and support (e.g. re-requesting production access.) Since developers hold sway in most organizations, convenience often trumps security. None of these measures put anyone out of business.

If I had to attack something I'd go for the limited resources to help smaller organizations scale security appropriately. There are tons of resources for large dev teams, infosec specialists, etc., but there is very little that targets small organizations effectively.