[ Edit: I expanded this and turned it into an article at https://lcamtuf.substack.com/p/product-security-barking-up-the-wrong ]
The basics of infosec - such as meaningful asset inventories, privilege reduction and separation, or solid access control - are *not* actually basics. They're not something you start with and then are done with. They're unsolved problems in computer security. Companies mess this up not because they're careless and incompetent, but because we don't know how to do these things right.
Yes, it's easy on my Linux laptop. It's not easy when you have 10,000 employees. It only takes one person who, for the sake of expediency, puts a bootleg AWS instance on a corporate credit card and does some "prototyping" there. It only takes one person who does something creative with SSH tunnels to be able to "work from home". It only takes one person who installs a sketchy browser extension, or outright goes rogue.
At a scale, stuff like that happens *every day*, and even if your world-class tooling and education efforts get you to 95%, there's still that 5% that every organization is bound to miss. And 5% is enough. Heck, 1% is enough.
Yep, you try to lower that number, but it only gets you so far. The most successful security programs I've seen are not built around having perfect defenses. They're built around the assumption that you're gonna get compromised - and you need to detect it, respond to it, and contain it faster than the attackers can achieve their goals.