This feels a bit reductionist. Parent post specifically calls out state-sponsored actors. It's fine to expect and require doors, windows, and locks. It is not fine to expect a commercial business or individual to have their own tanks and military on hand.
Organizations do bear responsibility for their security posture--and many have spectacularly failed in this responsibility--but let's not pretend that an employee being phished is equivalent to something on the level of the SolarWinds hack or any one of the many nasty bits of malware coming out of Russia.
State sponsored attacks are well funded and leverage one more or 0-days, which by definition cannot be defended against. The only way to stay ahead of a 0-day is to find it first, and that requires resources and expertise even large organizations are hard pressed to find in the numbers required.
Organizations do bear responsibility for their security posture--and many have spectacularly failed in this responsibility--but let's not pretend that an employee being phished is equivalent to something on the level of the SolarWinds hack or any one of the many nasty bits of malware coming out of Russia.
State sponsored attacks are well funded and leverage one more or 0-days, which by definition cannot be defended against. The only way to stay ahead of a 0-day is to find it first, and that requires resources and expertise even large organizations are hard pressed to find in the numbers required.