There seems to be one consistency in all these kinds of stories. The moral, it seems, is: if you want to have security, do not buy what your government does.
This applies to everything. When you need something, look at what people who actually need it are buying, not what people who just want to cover their ass are doing.
"For the Minuteman ICBM force, the US Air Force's Strategic Air Command worried that in times of need the codes would not be available, so they quietly decided to set them to 00000000; checking this combination was even present on the launch checklists. This was not changed until 1977.[7]"
Not so true. When the government REALLY wants to secure something, like, say, nukes, no matter what the technical security measures, there are always guys with guns.
I wonder, though, if that's their reasoning, or if they'd rather have another complicated layer in place instead. It might just be mimicry - people doing illegal things have hired guns, and it seems to work reasonably well for them - without actually understanding why it works when expensive techniques (which they don't fully comprehend) fail.
I think that it has less to do with why the technical obstacles can be overcome and more to do with the fact that they can be overcome. Unless a technical obstacle can be 100% secure, having an additional layer of security in the form of armed gunmen is useful.
The layer of armed gunmen is obviously not 100% reliable either, but requires an entirely separate domain of skills/knowledge/resources to overcome than technical obstacles.
I've served in the military. We had an asset we needed to secure - not nukes, but fairly important. We did the risk analysis and wound up with this layered approach: big thick blast-, TEMPEST-, and EMP-resistant door, retinal scan identification system, and an armed guard ( enlisted, not contracted ) 24/7. There was other stuff too. I don't remember it all - it was 1996 fer cryin out loud.
Complicated systems fail in unpredictable ways, and we understood that. We absolutely did _not_ want to depend on technical means only.
Maybe some organizations behave the way you suggest, but IMHO it is far more rare than you think.
Some people, when confronted with a problem, think
“I know, I'll use regular expressions.” Now they have two problems.
In the case of these locks, the problem with increased complexity, is that now you have to manage complexity, and deal with the low tech physical intrusion methods.
