while I understand your point, allow me to present the counter point that I always run into:
They are expensive (credentialed individuals)
Hardware is expensive
Process improvement is expensive.
It has been my experience that the main reason that cyber security programs do not get implemented is because the Sr leadership / board do not want to invest the time, effort or money.
I can confirm that money (in a company that always turned a profit) was the reason my last gig was vehemently-resistant to implementing even basic security. That, and rank stupidity.
In that case, it was the locals guys, not corporate, that were the immovable roadblock.
Not being in that field and trying to remain objective, I agree with that concept. I know how corporate decisions get made and have no doubt this dynamic could have played in.
Strange thing is, if I remember accurately, Equifax had a problem in 2016 too.
At what point do they finally admit they MUST clamp down on security.
The really bad thing is, they have everyone’s data. None of us have to be involved at all in tracking our credit numbers. The date is still in their files, and subject to access by nefarious rogue people who have the smarts to do it.
IMO < people like this should be put away for life. They stand to screw up hundreds of millions of people’s lives (potentially), and that makes them unfit to be roaming free.