I believe that these kind of decisions are mostly downstream of security audits/consultants with varying level of up to date slideshows.

I believe that this is overall a reasonable approach for companies that are bigger than "the CEO knows everyone and trusted executives are also senior IT/Devs/tech experts" and smaller than "we can spin an internal security audit using in-house resources"