You likely know better than I, but I've always had a weird intuition that enterprise IT security is bifurcated into "Leaders who understand compliance+details" and "Leaders who confuse compliance for details" with very different results.

And I get it's extra work, but I've seen some weird "But if you'd just built this a bit differently, you would have gotten all these free security bonuses to your posture" gaps.

Imho, a huge part of the problem is invisibility. I'm firmly of the belief the US government should be running scans on entities in regulated industries (defense, healthcare, utility, telecom) with regulated redress of any findings.

Trusting private industry isn't working.