It's kinda sad that one needs to become that annoying rock you cannot just push away to put in place sensible security measures that profit everyone. It does not help at all that there is so many, so fucking much shitty security requirements|standards|under-the-shower-visons arend and this security theater makes us lose credibility.

As an example, it had been, what, 10 years that I have been fighting with external auditors regarding password complexity. I was pushing what is now the NIST standard and every year I was confronted with the checkmark "small, caps, digits, special characters (but not <>') changed every 30 days" and was just saying that I would not sign off because we have something that simply makes sense. As in common sense, backed with 4th grade maths.