Isn’t it desirable to weed out organizations with such fragile procedures…?
It’s like how those ransomware thieves incentivize all the critical computer systems in the world to remain air gapped, which seems like an overall net positive.
In a sense I agree with you. However, really great organizations have weak links. It only needs one unfortunately. I personally don't want to be out of job because of one weak link.
Sort of to your point, we do have training (which I find obnoxiously dumb, but many seem to find it great - I just let the video run in the background and answer the questions without actually watching a single second of it) around this sort of thing and we have phishing tests that are super easy to figure out (the email headers literally tell you it's a phishing test) but various people post on internal channels "Is this a scam? I'm not sure, please help!" and not all of them are non-technical people at all.
Above a certain size of company there just are gonna be some weak links in just the wrong place(s) randomly even with the best procedures unfortunately.
It’s like how those ransomware thieves incentivize all the critical computer systems in the world to remain air gapped, which seems like an overall net positive.