I was once tasked to work with TPM 2.0 provisioning in an embedded position. They specifically chose me and pulled me from another team because of my skills in cryptography (I wrote Monocypher). Fast forward a couple weeks, I notice that the way the provisioning was specified, it would allow us to provision a fake TPM without noticing. My team lead didn’t believe me.
Sometimes later we had an actual provisioning procedure in place, and what do you know, it worked to completion even with a fake (software) TPM and a real certificate from the manufacturer. Because, well… we just didn’t compare the relevant public keys. My team lead was still sceptical.
I had to mention the issue in a meeting with some higher-ups and the security guy to be allowed to fix the problem. I believe this goes a bit deeper than a status game. I think it’s downright magical thinking: this hope that ignoring problems (especially vague threats like security vulnerabilities), could make the problem actually disappear.