Is a bad lock on a door better than no lock at all?
Bad controls can increase the attack surface significantly, compared to not having controls at all. A minimal physical barrier might offer a sliver of deterrence, poorly implemented security controls can significantly increase the attack surface compared to having no controls at all. This is because flawed controls can introduce new vulnerabilities and provide a false sense of security, making systems more susceptible to exploitation. Poorly implemented authentication might introduce bypass vulnerabilities, effectively opening up access points that wouldn't exist without it. A flawed encryption mechanism could provide a false sense of data protection while actually being easily broken, making sensitive information more readily available to attackers than if it were unencrypted but its vulnerability was known. I've seen companies that implemented an encryption mechanism, believing they had addressed security. The critical oversight was that their chosen encryption method was ...