Basic hygiene security hygiene pretty much removes ransomware as a threat.

I cant tell if you’re being flippant, or naive. There is nothing that removes any category of malware as a threat.

Sure, properly isolated backups that run often will mitigate most of the risks from ransomware, but it’s quite a reach to claim that it’s pretty much removed as a threat. Especially since you would still need to cleanup and restore.

It's not often presented as "we should be spending more", but it's absolutely true that cybersecurity is predominated by a reflexive "more is better" bias. "Defense in depth" is at least as often invoked as an excuse to pile on more shit as it is with any real relation to the notion of boundaries analogous to those in the context from which the metaphor is drawn.

The security industry absolutely has a serious "more is better" syndrome.

OK I agree basic security hygiene removes ransomware as a threat.

Now take limited time/budget and off you go making sure basic security hygiene is applied in a company with 500 employees or 100 employees.

If you can do that let’s see how it goes with 1000 employees.

> Basic hygiene security hygiene pretty much removes ransomware as a threat.

It does not. The problem is, as long as there are people employed in a company, there will be people being too trustful and executing malware, not to mention AI agents. And even if you'd assume people and AI agents were perfect, there's all the auto updaters these days that regularly get compromised because they are such juicy targets.

And no, backups aren't the solution either, they only limit the scope of lost data.

In the end the flaw is fundamental to all major desktop OS'es - neither Windows, Linux nor macOS meaningfully limit the access scope of code running natively on the filesystem. Everything in the user's home directory and all mounted network shares where the user has write permissions bar a few specially protected files/folders is fair game for any malware achieving local code execution.