It’s interesting that you’re getting downvoted. There’s plenty of evidence that things are getting worse in this field, not the least of it caused by ignorant policymakers who are hellbent on protecting their arse by being seen to be doing something, anything.
Then there’s the ambulance chasers who amplify the fear factor up to eleven just so they can justify their retainers.
Finally, there’s Microsoft who in my opinion shows the whole world, time and again, how not to do security whilst all the while preaching to its victims, uh, customers, what “best practice” looks like, whilst chanting"Do as I say, not as I do".
Security is about education above all else. The vast majority of breaches start by social engineering, getting a target to inadvertently install something or reveal something that gives an attacker a toehold into a system. It might be an unexpected PDF, a clicked link, a weak password, or personal information retrieved from someone who has no business storing your passport and driving licence on a system.