IT security has evolved from being a completely binary operation to taking a more nuanced approach. Back in the days when R, S, and A first got together, it was sufficient to do security on this pass/fail basis – meaning a large part of security was letting someone in or not to your network. Or, it could mean allowing them to use a particular application or not, or allowing them access to a particular network resource (e.g. printer, server) or not.
One example is over-protective endpoint security. While it is great to plug as many holes as possible across your endpoint collection, if you lock down your endpoints too much, employees will shift their work to the cloud and their personal devices. That is also self-defeating.