“Secure by default” sounds great until it meets BYOD, VDI, federated SSO, and the help desk exception list from hell.

Device-bound sessions help.

Waiting for every SaaS vendor to flip the default is not a strategy.