Data security in any tech-related industry is a joke. And it's a joke that is nearly impossible to solve because there's a huge element of user error, both on the design & support end and on the enduser end.
Even if your engineers do everything right, then you have to worry about your support guys installing and triggering the products correctly. Then you have to worry about the randos down the line who don't know the first thing about software engineering breaking shit at the first opportunity.
There is nothing that will stop Mandy from Customer Support clicking on a malicious phishing link and giving hostile entities a free pass into the system.