[faeriechangling]

It doesn't matter if the policies COULD be easily defeated. If you live in a country of 5 million people, and say "only connections from smallstan are allowed into this sensitive infrastructure", you've probably wiped out 99% of automated attacks.

Security measures are judged by how much they cost to implement, and how effectively they reduce the threats you will actually face, and geolocation blocking has the amazing one-two punch of being cheap and effectual against real world threats. Realistically, you're going to face a lot more automated hacking attempts than you are hackers actively trying to workaround security safeguards your company has implemented. It also generates indicators of compromise, so even if this doesn't stop a hostile actor, it can reveal their presence.

Getting to 100% security is too expensive and it's also impossible.