Ah yes: "Don't you understand, the problems in this field are harder. That is why the methodologies that easier fields reject as being grossly inadequate for their easier problems will work on much harder problems." Even ignoring the glaring conceptual holes in that argument, we also have literal decades of objective and empirical evidence that those techniques are still absolute failures when applied to software security.

Furthermore, groups of kids do not constitute a technically sophisticated threat. If you are struggling with them, then your security is grossly inadequate against commonplace and routine threat actors today like individual opportunistic criminals. Which are themselves grossly inferior to commercially motivated cybercrime groups. Which are themselves grossly inferior to state actors who are also commonplace and routine threat actors against national infrastructure.

The fact that commercial IT cybersecurity companies continue to fall prey to such bottom-feeder predators should tell you everything you need to know about the value of their recommendations and "expertise". If you disagree, present a software system developed using "offensive security" focused methodology (which if you present no definition I will define as using offensive specialists to design the security of a software system) that has been explicitly audited to be secure against a small team (let us say 3 person-years) of offensive specialists. And no, the absence of evidence: "There have been no publicly announced hacks on this system" does not constitute the evidence of absence. Only explicit audits that actively test the security of a system provide evidence of absence.

And, just to head-off any claims that is an impossible standard that nobody reaches, I will point to Common Criteria SKPP certifications and the seL4 proofs of correctness as examples of the alternative that has reached such standards.