Programs are badness, Kernel mode programs are badness squared, and kernel mode programs on every machine you have are badness cubed.

But what other choice do you have? At a basic level, computers can run arbitrary code, including code you don’t want to run. And networked computers can talk to arbitrary other networked computers, including ones you don’t want them talking to. I really recommend “The Coming War on General Purpose Computation” for a discussion of that. You can handwave all you want, those two laws are fundamental.

Option A: try and ignore the above. Have whitelisted programs, whitelisted websites. In some business roles this might even make sense. But in others it fails hard. People doing even very slightly flexible week now need to submit an approval request, and this approvals process, without fail, is awful. It is done by some with neither the time, the capability, or incentive to do it well. I’ve seen approvers flat out reject open source software, stuff maintained by a US government instution, for insufficnet ownership. They approved imagemagick. Product research? Nope. Anyone vaguely smart will leave.

Option B: Don’t run any security products and simply accept you’re going to be breached. Need I say more?

Option C: Combine structural changes that secure the basic, valuable primities better, with a real look - particularly for OT - of impact reduction. For the former, Android and iOS are simply much harder to run malware on, and any authentication flow that doesn’t involve a password should be moved to ASAP. For the latter, Crowdstrike really has just done you a favour. What does happen in the first six hours after a ransomware attack at your place, hitting every single damn thing with a von Neumann architecture and a network connection? Know the answer to that question.