Re: "The pair recommended extensive rehearsal for recoveries"
I actually worked for a large organization that did DR failover between a couple of their main datacenters every year.
Every application team was opted in and had to produce a business case to be opted out, which was reviewed for progress the next year and escalated to management if they attempted to opt out a second time.
They were big on ITIL and CobIT frameworks, so as long as the rules were followed people were not reprimanded.
Security was mainly audited by the security team with recommendations being documented...if your area got hacked after not following recommendations the security team would work with you to remediate before you were hauled in front of the executives to explain yourself.
I guess I was spoiled there as I have not seen anything even close since.