[rcxdude]

Everyone doing it doesn't make it a good idea. The big tech companies and governments are I think a little more paranoid about rouge admins, so they do at least try to limit the blast radius of any given credential, but almost no-one else has that level of maturity, which creates this pretty big chasm in the resiliance of IT organisations as you go from small to large.

(There's also a certain irony about IT complaining that a change to improve security would mean they can't do their job as easily)

[heraldgeezer]

I think you do not understand what a massive undertaking even securing a tenant in GSuite or Office 365 can be. Plus networking. Plus end user computing.

On top of this you want companies and governments to make their own tools?

You have a vision... of something zero trust. Now make it and implement it. Oh, not so easy?

S3 buckets used to be open by default. Office 365 had MFA as optional for a looooong time. So things are improving.

[rcxdude]

Doesn't need to be their own tools. It's organizational and cultural, not a case of no-one makes the tools to enable it.