It’s not. Their security has known massive issues and security holes, and they consciously do not fix them.

Look at the CVEs for azure, msal and Active Directory for some good laughs.

Now realise most governments, large companies and education works on this