1) There can be no security events. Everything must be perfect at all times in order to meet this goal. This causes everyone to end up with endless paperwork trying to ‘prove’ that they meet this impossible expectation.. and in some cases you end up with lots of investigations of blame the other guy when something happens. Incident response becomes a case of ‘duck, cover, and blame’ versus remediation and learning.

2) Security is hard, so lets not do it. In this case, any pretext of trying to secure systems is dropped because since events are going to happen, why try to stop them. In this case incident management ends up being basically a bit-bucket or dealing with worst case scenarios that would not have happened if people had had reasonable expectations.

Having worked at places in both extremes.. I am not sure what is worse.