While Microsoft should absolutely be held accountable for flaws in its code and its failures to disclose actively-exploited attacks in the wild against said flaws, most organizations have policies (or the lack thereof) resulting in security flaws you can drive a truck through.

Specifically, a lack of M365 and Teams “app” review and approval processes, a lack of CASB tooling, and grossly inadequate asset inventories and security agent coverage. You can’t protect what you can’t see, and most Microsoft customers are barely doing the minimum.

Is that Microsoft’s fault, when they explicitly tell your admins you’ve got a “Secure Score” of 19%, and they don’t do shit about it?