This seems like a serious inability to understand that no process designed to prevent future things you can't forsee is 100% effective (by definition). At some point, you have to declare "good enough", and live with it until the error rate becomes unacceptable overall again, then modify it.
IE it's likely 50 pages of those regulations gave them a 99.9%+ rate of avoiding fraud. They then added 1350 pages to get to probably 99.99%
This is unlikely to be worth it.
(and yes, before someone points it out, i'm likely being generous with the numbers)
Remember the regulations do not prevent fraud, enforcement prevents fraud. There already exist plenty of things saying it's not okay, etc. Saying "and also, don't do that" is probably not actually necessary most of the time, in the same way saying "don't shoot people" is sufficient. Saying "and also don't shoot them while they are handcuffed" isn't necessary. Crappy post-justification does mean the regulation was written wrong, and changing the regulation to account for the post-justification will not actually improve the process most of the time.
Or, in the fraud case, "books will be audited at frequency X", "Y behavior makes it too easy to hide fraud and is not allowed". Rather than "fraud is illegal on Monday", "fraud is also illegal on Tuesday", "fraud is even illegal on holidays"...
Of course we can never achieve 100% with more regulation, but we make it more of a priority to make abuse harder to get away with than elsewhere, presumably increasing overhead in exchange for lowering abuse (yes, this is probably not a strictly linear curve)
Anyone who's played rules-lawyering games like Nomic will be aware that banning all misbehavior explicitly is impossible. You're basically limited to whitelisting approved behaviors, or implementing a general rule against malfeasance. Unless the consequences of misbehavior are enormous, the second option tends to be more efficient.
When it comes to NSF, people worry about overhead and waste. When it's welfare or food stamps, people worry about fraud instead. Some of this is moral - people care about the 'undeserving poor' more than 'undeserving scientists' - because we tend to hate abuse of charity. But it clearly shows that there are different categories of concern, and that the public is capable of examining both topics.
Improper resource usage is a better metaphor than security failures for this topic.
1. A good example of this is how Republicans periodically attempt to defund science agencies by mocking research projects that sound frivolous.
"In 1987, Stewart Brand accused Proxmire of recklessly attacking legitimate research for the crass purpose of furthering his own political career, with gross indifference as to whether his assertions were true or false as well as the long-term effects on American science and technology policy."
[0] https://en.wikipedia.org/wiki/William_Proxmire#Golden_Fleece...
What's needed is more refactoring. This would benefit from more capacity to try different sets of regulations in parallel.
If you have a speed limit sign, and it says "speed limit, 50 mph, enforced by satellite observation", most people will probably ignore it. Those that don't and get caught, yeah, they go looking for excuses for why they ignored it to post-justify it. Changing the regulation wording will not change this. You can make the sign much larger and say "speed limit 50 mph, even if you are really late for an appointment, etc" but honestly, it still will not help that. People ignore it because the enforcement mechanism makes them feel like it won't happen to them (and because it's not socially abhorrent, etc), not because of ignorance of the law
On the other hand, if you have a sign that says "speed limit 50mph, enforced by this guy, right here", and there is a smiling cop with a radar gun sitting next to the sign, enforcing it, most people will not ignore it. In fact, i'd bet you could write everything before "enforced by this guy" in small print people had to slow down to read, and most people would slow down and read it, because they believe the risk of enforcement is greater to them.
Will you get everyone to stop speeding there? Nope.
Even if you add spike strips, laser beams, whatever, someone is going to do it, and in fact, enforcing harder sometimes increases the rate (depending how low the rate is) based on the thrill some people get. 100% compliance is just pretty much impossible, no matter what words you use.
It "rewards" those who are prudent with extra cash, and so it certainly won't be perfectly efficient, but in return it makes it harder for those who would otherwise try to abuse the system who often will go far overboard, because any extra expensive claims can be given a lot more attention (and often will require advance approval), and it drastically cuts down on paperwork.
Still they create mountains of rules....
At a certain point, you either accept a low level of fraud or just make a rule saying "don't do bad, wasteful stuff." Then you fire anyone who breaks that rule and let things work themselves out. (This has other problems, but they can be addressed.)
Most of bureaucratic stupidity is ultimately moral hazard. Someone pays for one failure case but not another, so they spend absurd amounts minimizing what they're responsible for.
