We know people are a weak point. Watch “Mr. Robot”, watch “The Real Hustle” or “Catch Me If You Can”, or read this to understand that “It only takes one thing to get someone to reveal their password: asking”
So we try and enforce stronger passwords and hope users have a decent password manager, or at least a hidden physical copy, and don’t reuse passwords.
We try to add 2 factor authentication so there’s less chance of anything happening if one is lost, and hope we’re safe from phishing attacks.
We try to train users.
But security is an inconvenience. It hammers usability, because we want it to be unusable for the bad guys. (and it’s not just software, go to the right Scottish islands and you’ll find unlocked cars and unlocked houses).
If you’re a bank, you optimise for failure. Cancel the old card and send out a new one. Block the online account until you get something in the post. Log every change for users to review. Rollback transactions, when fraud has been proven. But even after optimisation, failure is expensive. It’s not an option generally open to the rest of us.