There's also always a trade off between usability & user friction with high security systems. Although improvements in security software usability have eliminated some of those barriers. And systems security is like physical safes/locks: It should be rated in terms of how much effort it would take to bypass it, and implemented in proportion to the value/risk of exposure of the secure objects/data. Clearly this is an idealized model though: SolarWinds has show that approaches to securing high-value assets are.... lacking.