Security is *always* a problem -- because people (users/customers) don't want to be INCONVENIENCED. (keeping ANYTHING in The Cloud is just a problem waiting to happen -- I am surprised we haven't heard of some CORPORATE entity's cloud storage being violated)
Add to that, the fact that there is little incentive for firms to *impose* security (despite the "objections" of "inconvenienced" users) and its surprising we don't see MORE/bigger problems (no doubt because there are enough BIG TARGETS to engage hackers).
E.g., none of my work/business machines talk to the outside world. It isn't possible for them to do so even if there was a GAPING HOLE in the OS -- there are no cables connecting them to the outside world (and no wireless enabled!). So, yeah, a buffer overflow problem may cause one of my apps to crash if I type AReallyLongName. But, nothing *leaks* in the process!
But, this is "inconvenient" -- it means I have to SneakerNet anything that I want to import/export. P'feh. So what? I'll gladly take the peace of mind *and* added performance (from not having antivirus crap running all the time) over that minor inconvenience!
[Did we *really* have to TELL people "not to run as 'Administrator'"? Whose idea was it to give that level of privilege to the default user??]"Don't reuse passwords"
Yeah. And how many of these "mixed upper/lowercase, some numerics and at least one 'special'" should I commit to memory? Note you've told me NOT to write them down, anywhere (so "memory" it will have to be!).
Designing for a *secure* environment takes an entirely different mindset. E.g., my automation system only allows certain network devices (MAC/IP) at specific network drops to send certain traffic on certain ports using certain protocols to certain other hosts, etc. I.e., you can't just "plug something in" and expect it to talk to *anything* you want to!