But unlike security issues a single failure doesn't compromise 100% of the rest of the system. This is also why analogies between software/security/cryptography/privacy and the tangible world are so awkward.
Fraud prevention actually is a security issue. Not an Internet security issue, so mistakes aren't punished that quickly, but the analogy is still sound.
Someone buying a new watch with their expense account doesn't suddenly give them access to the whole treasury -- that's the difference between physical and digital realms I am trying to emphasize.
Most security breaches don't allow the malicious user to root the entire server farm either.
I just spent a week fixing permission validation done in JS on the browser. Users could have potentially allowed themselves to see parts of documents outside their role. This didn't give them access to our payroll system, credit card processor, or the backend infrastructure.
This is a big part of the answer. Congressional hearings and reporting often act like "fraud is fraud", but allowing 1% fraud to save 20% overhead is entirely reasonable.
Improper resource usage is a better metaphor than security failures for this topic.
