[LikelyABurner]

There is a very strong professional code of conduct within security circles that you should monetize the security of your own product as little as possible, because your own security is not a revenue stream, it's your most basic obligation to your customer.

Like everything else in life, there's always trade-offs here, say, promoting your security practices to attract customers, but the general rule is that moment you start having different tiers of protection, you start venturing into some seriously morally grey areas.

Microsoft didn't just start venturing into morally grey areas, they decided to set up their entire business model there, to the point that they didn't even know that they were hacked because they couldn't generate revenue from that knowledge.

THAT'S why Microsoft deserves every piece of bad press it's getting right now. Not that they had a security incident (everyone will have security incidents), it's that they deliberately ignored accepted industry standards to do so, and to this day they're stonewalling efforts to assess the full impact.