Everyone has security controls/tools that work and controls/tools that don’t work. I’d originally thought a bigger budget would solve a lot of problems. The community likes to say that budgets don’t solve everything, but even open source needs hardware (cost) and time (cost) to implement / management.
My problem seems to be more of a locus of control issue than a budget issue. Even if the budget doubled, I question if the security posture would increase. A security team can easily implement AV, firewalls, malware detection, etc. The administration and usage is almost entirely the responsibility of the security team. The locus of control is internal to the team.
On the other hand, a penetration test has an external locus of control. There is the budget issue, but even a budget won’t solve anything if the problematic systems have admins that won’t resolve an issue.
A web-application firewall is another example. A network firewall is pretty simple, 80 is either open or closed to a web server. A WAF requires cooperation between the security team and the server admin for an effective setup. Once again, the locus of control is external.
Even if the budget keeps increasing, effectiveness won’t increase until external groups buy in. Fixing that requires more than open source tools, a budget, or security people…