> And after all that, your company gets hacked through a misconfigured router.

Or a more likely scenario - some dev with admin on their machine grabs a malicious NPM package, EDR doesn't grab it because they successfully lobbied to have certain directories exempt for performance reasons (like DevDrive on Windows, or WSL). SSH keys get stolen, and despite all the fancy security products, the environment is still a mess (which is why there's so many products to cover up that fact) so the dev actually has keys to prod, then you're hosed.

I've seen my fair share of orgs with a plethora of security "solutions" and yet fail to understand some basic principles like least privilege or separation of concerns and think all their security software is going to save them.

Or one of the seven endpoint agents, each of which has a kernel module and at least half of which are doing dodgy process injection and read process memory shenanigans.