[lbriner]

I think this is a meme, the idea that someone is always going to decide to pay X million in fines instead of paying for security.

The problem, surely, is that there is no "right answer" to what you need for security, no 100%, things that were worth it last year are no longer effective and on top of all of that, you have human beings working for you who make mistakes?

There is also the very real issue, hardly talked about, about rolling security into legacy applications/infrastructure. People talk like someone can just click their fingers and get 2FA/Webauthn/FIDO/Yubikey when most applications probably haven't been updated since 5 years ago and cost $1M per release in risk. Not saying it's good but that's how it is.