You can't use reason and logic with the security people. They have a box that needs to be checked, they don't consider any possibilities outside of that box.
As a security person, agreed. Too few have ever written a line of code or shipped a product under massive constraints. However, those checkboxes do exist because engineers, IT, and everyone else involved have major lapses. I guarantee you 99% of orgs out there have a worse posture than okta and never find out they've been compromised.
I think it's important to admit that _all_ organizations have been hacked. Even the NSA. Most just never find out and if they do they have little idea what was compromised.
Worst-in-class is overstating it, but they've had three serious breaches in the last three years, not counting exposure of their private GitHub repos.
The thing that really bothers me about Okta though is that they've been caught lying when asked if they were affected by CVEs. See this thread from one of the Duo founders responding to folks (including one of the Cloudflare founders) being stonewalled by Okta during the fallout from Log4Shell: https://nitter.net/jonoberheide/status/1506280347306188805.
