Usually it's the opposite, due to the asymmetry of a terrible unknown and claimed unquestionable remedies vs "it'll certainly slow us down to some degree". The person making the latter argument needs to have far more knowledge in areas outside their domain, and far better debate skills, to prevail. The person arguing the former need only say "hackers" in a solemn tone, to win by default.

Specific security measures should be added at "absolutely needed, beyond reasonable doubt" threshold, not "probably helps", as adjudicated by the leaders of the productive core of the business.

That'd go a long way to stopping them doing nonsense password rolling witch-doctoring.

The problem with this is that when the COO/CTO doesn't understand or respect the CISO or their job, you end up with easily-preventable security breaches.

There need to be places where security is paramount.

There need to be places where user access/experience is paramount.

There are no hard and fast rules as to where these are. Human judgement is required, however messy that ends up being.