Here's a suggestion for discussion - email chains, and the amount of information you can inadvertantly hand out versus the ease (?) of reviewing said information.

With regards to Vulnerability vs Configuration. Are we less worried about vulnerabilities now because of technologies such as ASLR, NX Bit and lately Rust? Once you start looking at scripted languages the vulnerabilities and configuration mistake line really starts to blur, take a look at OWASP Top Ten.

Great discussion. Regarding SaaS and shared security model: Mario briefly mentioned this - ideally we shift the paradigm of auth and move to token based / password-less IdPs. The only reason we have “MFA” is because passwords are essentially useless now. So let’s eliminate the password and raise the bar to biometric based platforms. Note we must also focus on NIST 800-63A (identity proofing) in order to harden against onboarding risks with such platforms.