Traditionally, there was a stratification of security requirements influenced by organization size. These requirements imposed expenses, policies, and processes – and were often a balance between efficacy and convenience.
Governments, for example, were often prime targets. The government adversary is typically another nation state with deep pockets and high motivation for espionage or worse. Governments must assume that there will be groups of professionals targeting them and security is robust.
Some large enterprises found themselves in similar situations. The reward for successfully compromising a financial institution is high. Financial institutions recognize that they are attractive targets, so they create comprehensive security solutions as insulation from possible attacks.
Smaller enterprises, such as the middle market, tend to fly under the radar believing themselves to be less attractive targets. These organizations will often deploy just enough security to ensure they are not an easy target for the casual adversary.
Until recently, this has been a successful strategy.