Strong agree. I'll tell you the other reason not cited: it slows down organizations. Doing things right to avoid the (seemingly) small chance at being massively wrong is the inverse of the bet that doing many different things quickly has a small chance at a massive payout.
Let's say I'm an executive and I think there's a 1% chance of a breach that costs me 100x and a 1% chance of a 100x payout on every project.
I have 2 projects that each make $X. Let's say $X is $1000.
1 project will go from $X to $X/100 based on breach, so it's now worth $10.
1 project will go from $X to $X*100. It's now worth $100,000.
I went from making $2000 to $99,990.
This goes back to the argument about fines. They aren't NEARLY severe enough. If I'm an executive at a big company, I may enforce greater security on the "cash cow" projects (e.g. ad revenue and GSuite at Google [but not the Pixel or GCloud], AWS and Retail at Amazon [but not Alexa, Kindle, etc]) but the rest? I need to get ANOTHER cash cow. If my service that's only netting me $1M/year goes to $0, and I needed a service that would make $1B, I literally do not care.
If adding in-depth security to the $1M/year project makes delivery 2x slower, I've now spent 2x on something that probably wasn't even worth it. This is a game of stats; businesses and features as cattle not pets. I'd rather have 2 projects and another dice roll than 1 project that's just "meh".
That's not how I operate, but if you're playing this game as an executive, that's the most logical outcome.
Let's say I'm an executive and I think there's a 1% chance of a breach that costs me 100x and a 1% chance of a 100x payout on every project.
I have 2 projects that each make $X. Let's say $X is $1000. 1 project will go from $X to $X/100 based on breach, so it's now worth $10. 1 project will go from $X to $X*100. It's now worth $100,000.
I went from making $2000 to $99,990.
This goes back to the argument about fines. They aren't NEARLY severe enough. If I'm an executive at a big company, I may enforce greater security on the "cash cow" projects (e.g. ad revenue and GSuite at Google [but not the Pixel or GCloud], AWS and Retail at Amazon [but not Alexa, Kindle, etc]) but the rest? I need to get ANOTHER cash cow. If my service that's only netting me $1M/year goes to $0, and I needed a service that would make $1B, I literally do not care.
If adding in-depth security to the $1M/year project makes delivery 2x slower, I've now spent 2x on something that probably wasn't even worth it. This is a game of stats; businesses and features as cattle not pets. I'd rather have 2 projects and another dice roll than 1 project that's just "meh".
That's not how I operate, but if you're playing this game as an executive, that's the most logical outcome.