Historically yes. Your job is to evolve this configuration as security controls improve. It's not a fire and forget process, it's continuous improvement.
Or you can just use multiple accounts, which makes things a whole bunch easier.
Frankly, AWS is just missing a level of abstraction here. Azure has resource groups, Gcloud has projects. An AWS account now is just used instead of those concepts, despite it being heavyweight and awkward to do so.
There's plenty of tools to automate the creation and management of new accounts. The biggest hurdle afaik is there's no automated way to delete an account
It does, but account creation is kind of slow, and the whole control tower / SSO / etc. stuff is fairly janky. Clearly Amazon have been trying to make the account a more common level of isolation for some time and it's improving, but it's still not fantastic. Support also still has a minimum monthly pricing and isn't cross-account.
