[beauHD]

> but don't generate any visible revenue.

This is the crux of the issue. Organizations have no incentive to invest in good security because they don't see any negative ROI in the now. It's amazing just how much they invest after the fact of a breach. They have to assume they will be breached at some point and have all the necessary operational security in place when they do get breached to limit the blast radius.

Opsec is usually an infosec term, but businesses do opsec all the time to protect assets and inventories, only it's not called opsec, just 'standard practice', or a 'business plan' or other terms, but really it's opsec under the hood. Also, opsec is not new, it's something long practiced by organizations and companies across the world.