To add something useful to the conversation & giving the benefit of the doubt: maybe the parent was describing a situation where an org didn't have a cohesive security plan. If half your people are using one service, and the other half are using another, you've got a problem. I suppose this can blow out in complexity, and maybe risk(?), once you're stacking services (IdP, MFA, ...).