Most technical discussions of security are in a context with no practical constraints.
In practice you have constraints you have to work around. You have a limited budget, limited man-hours, user requirements. All of these affect the security-effort and security-usability curves.
For every security policy and tool you want to implement you have to weigh the effort and usability affects against the security it will offer, and you have to understand the needs of your users as part of that.