Olaf... I see you've never worked at a large company where many individuals work together to design and build a product.
To say you must do more to secure information is a pretty obvious statement. Do you think companies don't know this? C'mon, you're smarter than this.
When you have 500+ people working on a project--some at other locations, to simply secure it on a private network isn't as easy as it sounds. Even if you employ best practices and proper security devices, there are many attack points. Even a novice InfoSec professional knows this and can point many out.
I've been a red team professional for nearly 10 years--even when companies do everything right to secure their systems, we manage to find a weak point to exploit within 30 days. A nation state has all the time in the world to do this, along with employing a workforce dedicated to working on zero days; on a variety of different and popular software. If you don't understand there are thousands of zero days available to nation states (which they keep secret), then you probably should consider working in another field.
All of this is pretty obvious to an experienced InfoSec professional. Especially those who keep up with the latest offensive security attack methods/techniques. Along with understanding you have a lot to learn--and should begin to consider not the obvious, but the unique and ambiguous.
You may also want to consider withholding judgement until you have a lot more experience.