[Kalium]

I've found that quite often, the people suggesting that "they way we do it" mitigates a risk don't understand either aspect. Their goal is to achieve the feeling of having made it go away. They only want to do the thing and compliance is getting in the way, as they see it. Understanding the risk often works against that, as it might put them in a position of having to understand just how much effort they are wasting as they live with lots of residual risk that their superiors don't actually want.

To put it another way, using a risk-mitigation approach instead of compliance only works when you have honest, earnest, and full good faith investment in the process. In practice, this is incredibly rare. We all know, are, or have been engineers who cannot imagine a system they wrote running without them having the ability to SSH in and sudo at will without having to justify anything.

This is where compliance comes in. It sets standards and forces the issue. Even bad faith, low-effort implementations wind up having to meet a whole series of very clear - if occasionally box-tick-y - standards.