In reality what happened is that some security auditor put it into a checklist for the mobile app "Security ISO certificate++" and now everyone implements it for compliance.
Fighting against that is insane paperwork and professional exposure for software engineers that do it (since if people get phished, the C-suite will point a finger at a tech lead which went against the "professional security audit").
Most of other posts here are just post-rationalization and victim blaming.
So let's have more of these conversations so the idiots making those standards make fewer dumb rules and we can grease the wheels for anyone passionate enough to try to get it changed
Unfortunately the idiots are often the nation's security agency, or a large consulting company.
You will not have them change their policies if they do not have a good person inside, who will slowly move the boat.
I fought for audit findings because they were pissing me off at a personal level and it wirked. But the auditor did not change their procedure, just reverted the finding. Until the next year.
I think you're making the naïve assumption that large organizations are heterogeneous.
The people at the top are idiots because the idiots were able to secure advisory positions. They were able to secure positions because those promoting them were either tricked or idiots themselves. This pattern repeated all the way down.
So I really do mean grease the wheels. And I really mean we won't kill the beast overnight. But we won't make any progress towards fixing things if we won't look at how the problems are created in the first place. We'll only perpetuate the problems if we oversimplify things, as that's exactly what got us into this mess in the first place.