I’d like to see evidence if this. Because it seems unrealistic, even a well protected org? Ok, say the employees are the weak chain. What about those with zero trust access policies?
My knowledge derives from personal experience, but if you want digestible evidence you can go read the books: “Click Here to Kill Everybody” by well known cryptographer Bruce Schneier or “This Is How They Tell Me The World Ends” by the lead cybersecurity reporter of the New York Times, Nicole Perlroth.