This is a major issue I have with cybersecurity articles. They're often quite clever and interesting, but the real companies I've worked for can barely implement SSO, MFA, software updates, pay for logging, write worthwhile detections, etc. The basics are quite well understood, but no one seems to acknowledge that hardly anyone can actually manage the basics.
My experience as well, my background is enterprise development - mostly what would be classed as the M in SME (Small-Medium Enterprise) with forays into the big E and all of them fell down on even basic security in so many many ways.
Example: at the largest place I worked (5000 staff, 200 in Dev/QA) I found out by accident that the outsourced devs where using personal laptops when in a sprint meeting I asked where someone was and got back "His work machine died, he's nipped home to get his personal laptop".
That company constantly raved about how good it's security posture was...
I spoke to my oppo number on the IT/platform team and his response was "yeah we know that happens, I've been trying to get them to ban it/make it impossible for a while".