Laypersons probably don't see ATOs at scale. I worked at a fintech and it was a relentless uphill battle to protect our users. We saw massive distributed login attempts daily and constantly bought compromised passwords on the gray market to run against our users' accounts. We tried to encourage better password hygiene, 2FA, Fido, etc.

You have to protect users from their own misunderstanding. When it comes to their bank accounts, improper security can be life-changing.

The term "security theater" itself is often thrown around to criticize when it's completely undeserved. Lots of people use it to poke fun at the TSA, but the term totally dismisses the fact that hijackings have plummeted [1,2]. The TSA does its job.

[1] https://www.statista.com/statistics/1240246/aircraft-hijacki...

[2] https://imgur.com/a/xV9ebD9