The number of "we can't do that, it murders kittens on live TV" types of discussions I've seen surprise me, both that something got as far as it did, and that it was shut down with a simple comment.
The number of times a group has created/approved something that immediately has a flaw found by the first person it is shown that is not in the group is something that I'd love to see hard numbers. It has to be very high. It's like group think takes over and nobody can think critically about it, and all sorts of things slip through. It's even more embarrassing when you do have subject matter experts already employed within the company that were either not discussed with or worse ignored.
The most common example is from marketing where there is something that nobody notices until the internet noticed, or when a foreign company releases internationalized copy by someone that is not a native speaker so that the translation is nonsensical jibberish.
I think a major part of it is a form of "institutional blindness" where the people who do see it don't mention anything wrong because there's only downside to doing so; the first person who can't be "retaliated" against goes "what the fuck is this"?
I've found myself being on the downside. One job in particular was especially egregious in how "pitch meetings" were simply where the art director let people toss out ideas only to dismiss each one and at the end toss out their idea. Suddenly everyone in the room loved the idea. It was obvious the art director just wanted to be able to say that they were open and listened to ideas from the plebes. After the third one of these meetings where I started asking for more details from the brilliant pitch, it was clear that I was no longer a fit. Eventually, the glitch was fixed so to speak.
"What are the security implications for this?" does a similar thing. People don't like it and eventually you either take the hint or people stop inviting you to meetings.
On the positive note, it works in so far as once it's said, the folks in charge can't hide under the blanket of ignorance. But it doesn't work in that it you're seen as the problem rather than asking "why the heck do we keep suggesting illegal things"?
I loved working in a HIPAA regulated field- "we literally can't do that without breaking the law" would actually work to make people remember that security is important. That said I lucked out in that one of the two cofounders actually understood why this was important (and he gave me permission to revoke all access to sensitive data from the other cofounder).
