Yep, but this is business 101 (equivalence with career 101).
At security 101, now I teach that an incorrect security measure is worse than no security measure at all. (Demo.hint: every security measure has a cost...)
However, business 201 reacted promptly by adjusting their security requirements to match the mechanisms chosen in first year. I never understood why they did not take advantage of the productivity enhancement offer? (Maybe because, in the end, they know how to treat security the same ways as documentation...)