It identified a series of operational and strategic decisions by Microsoft that “collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management.” The report pulls no punches in its assessment, declaring that “the cascade of Microsoft’s avoidable errors that allowed this intrusion to succeed” was both preventable and unacceptable.
Have you shared the CSRB report from 2023 with him already?
https://netchoice.org/cyber-safety-review-board-report-exposes-serious-flaws-in-microsofts-security-practices/