This is exactly it - most "security" isn't really built around actual threat models, nor is it ever verified. IT security is perhaps the weirdest in the world in that the security of your web server will be constantly probed, whilst your front door could go your entire lifetime and never be probed once.
Where people actually care about physical security, they develop things that do actually work; and often are so unobtrusive you never realize they're there.
Security theater necessitates that it be showy and in your face.
Except a decent part of security is literally just deterrence.
Will my front door stop someone robbing my house if they want to? No: I have sidelight windows you could just smash them and come through.
But the one time a house I was in got robbed, it was because we left the front door open and went out.
Which is odd if you think about it right? Statistically an open front door rather implies someone is home, not away so it's a terrible targeting priority - but our house was targeted and not say, our neighbors who also wouldn't have been home that day.
People are quick to claim security theater, talk about threat models, but equally ignore them anyway.
The "I don't have to run faster than the bear; just faster than you".
PSA: If your buddy starts running from a brown bear, stand very, very still. They like to chase things and they're way faster than you are.