I wrote this! I'm excited to see this get attention here. I'll be responding to folks' comments where I feel like I have something to add, but please let me know if you have any questions or feedback!
There's certainly a lot of cargo cult security controls out there. One of the big issues is simply that it is very hard to change established practices. It takes a lot of effort, and senior people who are not security experts have to sign off on the "risk" of not doing what all their peers are doing.
There is one word I would change in your post title. Security has a useless controls problem, not security is a useless controls problem.
There is one word I would change in your post title. Security has a useless controls problem, not security is a useless controls problem.