What are the biggest lies in Cyber?

What are the lies or myths you often come across in cybersecurity that cover up some inconvenient truths?

Eg: “There’s no real risk because these servers are only accessible from the internal network.” = The hardening of the servers is not up to standard.

“We did detect the audit activities, but we didn’t notify you.” = Our detection rules generate too many false positives to identify an actual attack.