I call it paper security or checklist security. Usually it is about implementing enough to check off a list of requirements from some document. Antivirus installed? Check (Nevermind it is a Linux box and AV loads a dubious proprietary driver in the kernel with a huge attack surface and remote exploit posibility because of how it does updates), such and such EAL-4 operating system intalled? Check, and so on ...
So they tick all the boxes and in the end up with a worse off posture than if they just stayed with defaults for example.
You're right, that's fair. I can't remember a large bank was hacked as to where their customer's money was stolen or anything like that. It is usually retailers and such.
We call them "CISSPs" where I have worked. It's a mostly derogatory term for whiteboard warriors of the security world. They usually have a CISSP but no other valuable security background, most certainly aren't programmers and have never even played with Metasploit let alone understood how you exploit a system.
Unfortunately (most) banks/big enterprise are full of CISSPs which is why they keep getting styled on all the time.
If they woke up and hired real hackers, adopted real security practices and knowledge sharing they could drastically reduce risk and probably get better software and systems in the process.
Right. And at the end of the day, skilled attackers can either: a) not care if you decrypt their traffic as they're already in your network and it's too late by the time you're reviewing the incident or b) take a copy of your checklist and say, "well here's something they'll probably never figure out"
A little out of the checkbox thinking goes a long way for attackers. It could for enterprises too if they could overcome their inertia.
So they tick all the boxes and in the end up with a worse off posture than if they just stayed with defaults for example.