Thing is, it's not a problem. A problem would be if cybersecurity was playing first fiddle.

(When concerns of security become the main worry in an organization, the term we historically use to refer to it is "police state".)

>police state

Isn't a police state where a government is concerned with security above all else? To my mind, a place where private organizations are above all concerned with security is the exact opposite, anarchy, since there's no collective security framework in place to take the security burden off private organizations.

Police state on the inside, anarchy on the outside. This makes it even more similar to governments - sovereign nations are the highest organizational level; beyond them, there's no one to defer to. International affairs is anarchy - everyone's pogo dancing (to the tune set by nuclear powers).

It’s firmly in the “cost” center.

That’s a worse framing than above. It doesn’t matter if it’s a cost or a profit center. It’s part of a trade off.

You could achieve a perfectly secure system, if and only if you make that system do exactly nothing. If you want to achieve any other outcome you will have to trade some measure of security for the ability to do anything. Or as Matt Levine so aptly put it: the optimal amount of fraud is non-zero

Indeed. But I’m pointing out if it’s not the goal, then it’s a cost to minimize to achieve the goal.