The military has a better model of security. They protect things at different security levels.
I've spent time in the classified world. Security can be obtained, but costs are high. At the aerospace company, we estimated for bid purposes that running a project at SECRET doubled the cost. Running at levels above that became even more expensive, and much slower. You have to partition things, so that only the really critical stuff gets the most expensive protection. It's common to have a project where the project is mostly unclassified, many things are SECRET, and a very few things are at higher levels.
The military views security as time-limited. When and where the attack will start is highly classified until the attack is underway. After that, there is no secret. New weapons systems eventually get used or cancelled, after which they're less secret. The intelligence community wants to protect info forever, though.
The credit card services get this. The CVV is required to have a higher level of protection than credit card numbers or names and addresses. Banks understand separation of functions and mutual mistrust. Most computer security work doesn't think this way.
I've spent time in the classified world. Security can be obtained, but costs are high. At the aerospace company, we estimated for bid purposes that running a project at SECRET doubled the cost. Running at levels above that became even more expensive, and much slower. You have to partition things, so that only the really critical stuff gets the most expensive protection. It's common to have a project where the project is mostly unclassified, many things are SECRET, and a very few things are at higher levels.
The military views security as time-limited. When and where the attack will start is highly classified until the attack is underway. After that, there is no secret. New weapons systems eventually get used or cancelled, after which they're less secret. The intelligence community wants to protect info forever, though.
The credit card services get this. The CVV is required to have a higher level of protection than credit card numbers or names and addresses. Banks understand separation of functions and mutual mistrust. Most computer security work doesn't think this way.