... is why, after 15 years in Infosec, I've had enough and have transitioned out of infosec.
I had enough of being a figleaf, of the endless pointless tickmarks by "security consultants" with 6-letter passwords who think MFA is an ingredient in Chinese food, of the sheer security kabuki, the hopeless underfunding, the vendors just keen to upsell you another useless silver bullet and so f*cking on and on and on.
I have no idea what the solution should be. Maybe the Russians are better and smarter and simply can't be beat. Maybe it's the lack of real liability all the way up to the C-level, including vendor sales drones and above-mentioned consultants. Us few, us unhappy few, wouldn't have a problem, as we've been documenting and gathering evidence about how we've been warning and how we've been ignored like latter-day Kassandras for ages.
<friday rant off>