> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.

I personally came to that conclusion thanks to the GrapheneOS situation regarding device attestation. Insecure devices get full features from some apps because they are certified, although they cite security, while GrapheneOS get half featured apps because it's "insecure" (read, doesn't have the Google certification, but are actually the most secure devices you can get, worldwide)

▲

cynicalsecurity 3 hours ago | parent [-]

It's not about securing your device from external threats or bad actors; it's about securing the device from you.

▲

trashb 2 hours ago | parent [-]

I see it a little differently. I would change your statement to the following:

It's not about securing your device from external threats or bad actors; it's about securing the organization from any blame / wrongdoing.

Most organizations today are looking high and low to shove the blame to others instead of taking responsibility.

	▲	TeMPOraL an hour ago \| parent [-]
		It's related, but GP is still right to bring it up - it's the one question that is most important wrt. security, and also conveniently the least often asked: security for who, and from what? "Security" isn't an absolute good.