Of course there's always a scenario that could be malapropos; yet most of the time we're not comparing $20k to a figure that has a larger GDP than many countries. I always get a kick out of people on the internet who take what I say and blow it way out of proportion to try to win an argument against me that I never made in the first place.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.
I think you're reading stuff into my reply that I didn't intend. I didn't want to argue with you. I read your post as though you were asking a question, and I answered it.
I agree with you on that last bit. While it's important to have your compliance ducks in a row, a lot of shops seem to feel like "we've checked all the audit checkboxes so we're secure now!" No. All that stuff is nice, but having a documented process for deciding who gets root on your database servers is not the same as actually securing your database servers.
Anyway, I agree with your last sentence; at what point is something "good enough". Lately I feel like the "good enough" in a significant amount of corporations isn't acceptable. I'm in healthcare and the absolute lack of security in my day to day is absolutely amazing.