Your ideas on security have been polluted by conventional practice. Funny that. I call it the real world. :-)
This does not mean that I take security lightly. Quite the opposite. As a network manager it is the most important thing that I do. What it does mean though, is that there ARE, like it or not, certain realities that will turn security measures counterproductive.
Want eight-character complex passwords for all users? Fine, but then know that all you have to do to get access to the network is to start looking for sticky notes under keyboards. That's the only way users will be able to remember them.
Want permanent lockout on three bad passwords? Fine... but know that all I have to do to lock your CEO out of the network is try his email user against your VPN concentrator three times and I've just locked him out of your network. What fun!!
Want users to encrypt all their local data? fine... but don't let them come running to me when they forget the password they changed last night after the ninth scotch and now you have to make a presentation on a multimillion dollar contract in an hour.
Me... I'll be happy with something else.
"Want users to encrypt all their local data? fine... but don't let them come running to me when they forget the password they changed last night after the ninth scotch and now you have to make a presentation on a multimillion dollar contract in an hour."
Simply ask yourself, do ATM users have trouble accessing their account information? Do ATM users have hideously long, complex passwords or utilize encryption so severe that if they lose their password they are forever locked out of their banking accounts?
If the answer is "no", then ask yourself, why would I treat my corporate users to any lower level of useability and security than that which is enjoyed by ATM and POS terminal users?
Is the answer, "I don't know any better", or "I don't like them", or "I haven't really thought about an architectural solution"?