Re: It is all about penetration testing
real world attackers (and gov agencies) use - bribing, woman, booze.
Such attacks are extremely expensive to carry out, and risky (as there's a human being who can, if detected. be tracked, surveilled, captured, interrogated etc.) There's a lot of highly specialised tradecraft involved. And so on. Very, very few organisations have that class of attacker in their threat models, for the obvious reason that either they're not a threat, or because realistic defences against such attacks would be too much trouble and money to be worth it. For instance, you start with DV-level vetting of all your staff, firing everyone who fails it. Your firm wouldn't have any problem losing 50% of it's headcount, right?
If they want you that much, they'll send ninja scuba divers up through the sewers at 4am to plant pinhead audio bugs that can relay the sound of typing to someone who can reconstruct the keystrokes, or whatever.