That is a straw man argument. Nobody was saying security should be prioritised over the goal of the product.
Security is just another non functional requirement (mostly) of a product.
To obtain good enough security, defence in depth is still a good principle to follow. It means you are not putting all your eggs in one basket. It often means that each individual control does not have to be perfect or massively over engineered.
So in this case, when short sessions are a clear negative for a lot of products, and we have existing examples of HUGE enterprise companies that have agreed and adjusted those sessions to be much longer for most cases...
I would argue that you are arguing to prioritize security over the goal of the product. Right here and right now - you are literally doing it.
> To obtain good enough security, defence in depth is still a good principle to follow.
I don't disagree! I just think that each "defense" needs to actually be considered on the whole, not as just another bonus to security. Short sessions SUUUUUUUUUCK. They make your product shitty. Users hate them. They don't add a ton of security.
Are there products that should still have them? Sure. Probably lots of products in VERY specific places. Should they be the default everywhere? Sure as hell not.
Security is just another non functional requirement (mostly) of a product.
To obtain good enough security, defence in depth is still a good principle to follow. It means you are not putting all your eggs in one basket. It often means that each individual control does not have to be perfect or massively over engineered.