> AD has built-in mecanisms where a random person can execute code on the AD themselves

Could you provide an example? I'm sure I know what you're talking about, but the way you put it I'm having a hard time figuring out what you mean.

> Most people are not perfect; Hence, most people have security issue with AD (see the never ending tail of cryptolocked companies)

Yeah, but, how many of those ransomware attacks exploit misconfigured AD environments rather than something more banal like harvesting credentials accidentally checked into Git, or spear phishing for a target? Identity, in general, is hard.