Yes, exactly. In the realpolitik of organizational IT security, there's less of an emphasis on making systems more resilient to attack, much more of an emphasis on having an audit trail, so that in case the company is sued over a data breach they can claim "we did the very best that could be reasonably expected of us with the knowledge we had at the time" and provide receipts to back up that claim. Implicit in that claim is also "we used the same tools that everyone else is using so you can't blame us specially for unwittingly choosing something vulnerable to compromise". Hence the proliferation of shitty single-point-of-failure "endpoint security" software that leads to events like the 2024 Clownstrike incident.