I think your conclusion is reasonable that the investment of effort in security improvements is not justified by the risk of it being exploited, but I want to pull out a tiny part of your post and suggest refining:
“There is no point in pursuing a security mindset if you are virtually certain that the thing you would be investing resources into would not be your weakest attack point.”
Different attackers will target different points depending on their capability and what they care about, and which attacker will go after you depends on their motivations. Your weakest point may be lower real risk than others simply because the type of attackers who would exploit that point don’t care about you.
Organisations will regularly invest resources into what is not necessarily the weakest attack point but based on their assessment of the most cost effective way to reduce overall risk. This plays into defence in depth, where multiple layers of overall security features can provide better risk reduction, especially where the weakest attack points are expensive or impossible to address.
This may seem like a inconsequential point as it doesn’t make any difference to your conclusions, but I do see people focussing on weak attack points without considering whether their money is being well spent.
To me, a better framing would be:
You shouldn’t invest resources into measures where there are alternatives that are more effective at reducing risk.
Yep, this seems right to me. In this case, the set of attackers is also quite narrow, since the codes are only relevant for 24 hours, and then only in a somewhat bounded way that’s easy to revert.
I think your conclusion is reasonable that the investment of effort in security improvements is not justified by the risk of it being exploited, but I want to pull out a tiny part of your post and suggest refining:
“There is no point in pursuing a security mindset if you are virtually certain that the thing you would be investing resources into would not be your weakest attack point.”
Different attackers will target different points depending on their capability and what they care about, and which attacker will go after you depends on their motivations. Your weakest point may be lower real risk than others simply because the type of attackers who would exploit that point don’t care about you.
Organisations will regularly invest resources into what is not necessarily the weakest attack point but based on their assessment of the most cost effective way to reduce overall risk. This plays into defence in depth, where multiple layers of overall security features can provide better risk reduction, especially where the weakest attack points are expensive or impossible to address.
This may seem like a inconsequential point as it doesn’t make any difference to your conclusions, but I do see people focussing on weak attack points without considering whether their money is being well spent.
To me, a better framing would be:
You shouldn’t invest resources into measures where there are alternatives that are more effective at reducing risk.
Yep, this seems right to me. In this case, the set of attackers is also quite narrow, since the codes are only relevant for 24 hours, and then only in a somewhat bounded way that’s easy to revert.