It was just one example. I've seen similar issues from IT security in other situations. Like recommending every tier of an application in AWS having it's own VPC, with firewall appliances between them, manual approval chains to open up ports in a dynamically scaled app, etc.
Basically, finding pragmatic security people that can balance "perfect" with "real life" is hard.
Indeed, part of that will be the culture of the company.
I've seen quite a few companies where any breach of security is held to be the "security team's fault", so they have an incentive not to accept risks (limited upside if they accept a risk, alongside a large potential downside if a breach/incident happens as a result)
Getting past that really requires a culture where security is the responsibility of all people in the organization and there's no finger pointing in the event of a breach/incident.
Huh but that is the job of security auditor to assess risk level give report with level of threat and then product owner job is to take responsibility for implementing fixes based on that report. I do not understand way of working where you have security team that dumps report with bs on developers heads and say fix all now or we die.
Basically, finding pragmatic security people that can balance "perfect" with "real life" is hard.