Plenty of these measures are just basic professionalism. Some are relatively inexpensive (enabling MFA everywhere by default given the number of MFA options.)
Other changes are mildly annoying to developers, ops, and support (e.g. re-requesting production access.) Since developers hold sway in most organizations, convenience often trumps security. None of these measures put anyone out of business.
If I had to attack something I'd go for the limited resources to help smaller organizations scale security appropriately. There are tons of resources for large dev teams, infosec specialists, etc., but there is very little that targets small organizations effectively.
