> The infosec community likes to latch on to any little vulnerability it can and act like the sky is falling
That's because while a given potential exploit might not be a huge deal, a collection of exploits become greater than the sum of their parts, so if you're security-minded, then you want as few of those parts as possible.
Sure, but you always have tradeoffs for implementation time, interface friction, etc. You need to scope things properly so people know how to prioritize them and, in my experience, infosec people are really bad at that. They're so ready to hype up whatever they found that they don't really care how it relates to the real world.
That's because while a given potential exploit might not be a huge deal, a collection of exploits become greater than the sum of their parts, so if you're security-minded, then you want as few of those parts as possible.