Most people working on security don't have much power, and are reduced to tinkering with small incremental improvements that don't break anything.
case in point: If you look at the history of malware infactions in organisations, one vector historically stands out since the early 2000's: office/pdf attachments in emails. It's been obviously a catastrophic combination to feed untrusted, unauthenticated complex office formats to insecure productivity applications, but nothing was done about it despite weekly new public vulnerabilities and pwnage continuing over 20 years.
case in point: If you look at the history of malware infactions in organisations, one vector historically stands out since the early 2000's: office/pdf attachments in emails. It's been obviously a catastrophic combination to feed untrusted, unauthenticated complex office formats to insecure productivity applications, but nothing was done about it despite weekly new public vulnerabilities and pwnage continuing over 20 years.