> We are on HN. People who are responsible for overreaching unreasonable security rules ... are basically us.

I don’t think that is true. Rules that you have to use a fax machine are enshrined in outdated laws. No IT professional is going to say to use a fax machine for security.

The same thing is true for a lot of security practices. Our company had silly password rotation policies because of certification requirements, not because our IT team thought it was necessary.