Yeah, but it's actually not that straightforward to successfully turn the security of a heavily hardened Azure tenant to dogshit unless you know your way around and know exactly how Azure security works and what to strip out of it.

That's my point.

Same applies to properly hardened AWS and GCP tenants aswell.