Nice Theory - but
1) How many outfits have all their IT systems set up correctly - all too often if one person has to provide temporary cover for another, the only way to do so is to log on as that other person. (Or wait weeks for all the authorization tables to be updated, additional user licenses purchased etc.)
2) See (1)
8) Proper procedures are good for routine activities - they are not much good under exceptional conditions.
(Crude example - the payroll printer breaks down on payday - there is no time to follow the "correct procedure" of repairing or replacing it but diverting the print job to a printer in another office allows the time critical payroll job to complete.)
Having "proper procedures" that take too long can result in a company loosing out to more agile competitors.
9) Security is not the second most important thing. Safety, company survival, company profits and company growth are more important. Also in many companies, senior management convenience is counted as far more important than security.
Security is an overhead - (people, software, equipment and employee time) so for most companies, they spend as little as possible on it. This tends to mean that the chief security officer for a company is a fairly low ranked person who can be easily overridden by senior management. (The correct point to stop with security spending in a company is at the point where the loss prevention from increased security no longer exceeds the cost of the increased security.)
Finally if security is applied with too heavy a hand, employee morale and productivity can suffer badly