The curious bit about “security” as a discipline, is that at root you need to know who to trust, and when. Corporate security is critically dependant on the abilities of a small number of well-intentioned employees. Personal security is dependent on choosing which large entities you choose to trust (and to what extent). National security is dependant on the degree of trust assumed for various large groups of individuals - not all of which are as well-known as circumstance demands.
Any of the above is easy to get wrong.
The key metric missing in most discussions is - trust. Whom do you trust, and to what extent? Do the systems you use (hardware and software) accurately reflect the exact extent of that trust?