> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.

This is the key insight. Nobody cares at all about actual security. It is all about checklists and compliance.