Also, this reliance on properly designing systems is funk. They are too complex and deployment will immediately offer deviations from the schema. That proof is in the pudding.
Executing a security program is like playing tetris. The game speeds up as you go and you have nothing you can do to counter it. There is no opponent. The game’s rules are designed to continually compress your decision/action cycle. It’s ultimately a no-win situation.
On the other hand, executing a security program which includes an operational component expecting and assuming a no-win situation that continually detects, deters, and responds to badness is at least setting up a scenario where operations can lower friction and increase the opponents friction is possibly tenable.