You can’t really avoid paying for security, which seems to historically be why it is ignored and risked. I’ve always felt the right approach is for an internal security & reliability org be formed to provide an owner and maintainer for core services and libraries, so that things are built robustly from the get-go. Think premade formulations an integration for auth, hosting, data storage, etc. Some companies have small security teams that _kind of_ fill this role, but usually they’re a gate you must pass rather than an ally helping you navigate hard problems by providing and maintaining prebuilt solutions. I’d rather just require that normal devs not need to solve these problems and instead be provided an appropriate sandbox to deploy software in.

They did login on a global admin account and wiped devices via whatever turd technology is used currently to have complete control over your employee's devices centrally.

Central control over everything gives you central way to shoot yourself in the foot. Duh. Don't be a control freak company maybe, or if you are, have 2FA on your admin's accounts.

"Nation state" my ass.

They also demonstrated that one rogue admin could have deleted the entire company in like one evening, too, if he felt bad enough.

Well, they also relied on this company to protect them, so...

https://www.bleepingcomputer.com/news/security/microsoft-ent...

The problem is, it doesn't matter. If the "good guys" are prevented from testing your system to uncover vulnerabilities without legal threats, but the "bad guys" are not, you still effectively do need to spend that anyway.