It is. Our "security manager" has a dashboard that just literally counts the number of "security policies" we've put in place. Anything that isn't a box to tick is completely ignored as irrelevant. So we are essentially counting how many group policies we can implement and just disregarding the effectiveness of them for mitigating relevant threats and ignoring the added complexity and cost it incurs by making everyone's life more difficult. Systems password management/MFA? Who cares, can't make a graph out of it. It's the dumbest shit I've ever had to deal with.