> Furthermore, State is a decade or more behind the game. It is my impression that modern companies that care about security assume that all networks are compromised and act accordingly.
Unfortunately far from true. There's a small percentage who have the resource to run this kind of ops. Don't look at FAANG on how security is in companies, they're outliers by far.
FANMAG is also the infrastructure that most of these companies are running on, so in a way, they are delivering it bit by bit to most companies. Especially as companies move from doing things like 'running their own exchange server' to 'buying a microsoft 365 subscription'.
Chromebook + google apps is what most companies need, and really good security for the most part.
While I don't disagree with your statement, it's important to remember that cybersecurity is a "weakest link" issue. If 90% of your infrastructure/tooling is provided by FANMAG companies, you are still pretty weak from the remaining 10% -- unless your company has higher security standards than FANMAG, which is not typical.
However, the infrastructure and scenario may be wildly different from your average (modern) big tech company.
There's always the notion that your national infrastructure needs the security applied as an afterthought, VS maybe more careful planning and less heavy "legacy" dragging them down in the tech companies.
There's also massive amounts of variation between the companies in that group. Some are prohibited from taking source code off a computer located on premises (employees' take-home machines are "dumb" to the extreme in that they basically connect directly to their computers at work); others encourage their employees to use pre-production and internal products for personal use. As you can guess, they have dramatically different models for how to approach corporate security.
Unfortunately far from true. There's a small percentage who have the resource to run this kind of ops. Don't look at FAANG on how security is in companies, they're outliers by far.