Adapting is going to be very hard because the rate of change is increasing beyond where the human brain can keep up. Yes we can use simulations, we can model, but the defense is centralized while the offensive decentralized, and the knowledge on the defense is locked up in silos and not shared.
Yet the offensive is sharing the knowledge almost immediately. So once one group invents a new kind of Ransomware the code is almost always shared or it's reverse engineered. The defenses against it also aren't so easy to automate compared to the offense. From what I can see it's easy to automate the attacks, the weapons, and the weapons themselves can learn and evolve. The defense I suppose we can assume is not going to be able to keep up and so how can disaster recovery be robust enough so that when a company is successfully attacked it isn't completely bankrupted?
If absolute security is assumed impossible and companies admit the defensive capabilities are limited then companies can figure out ways to reduce the costs of defense and recovery. Lower cost defense and recovery I think is the best case win because I don't see the defense completely stopping Ransomware or rendering it completely ineffective for similar reasons social engineering cannot be rendered completely ineffective.
Outstanding insights (you have spent some time understanding the landscape, I am impressed!)
So a few thoughts to build on what you are saying....
Yes, the offense (attackers) are traditionally much better at sharing and collaborating. But two factors are shifting the equation a little bit. First, defenders are starting (yes, just starting) to share and collaborate more. For example look at nomoreransom.com where top security competitors are working together to publish free anti-ransomware recovery tools. Second, we will see the emerging top tier threats, nation-state players, have more of a role in cyber attacks and they traditionally DON'T like to share their toys. That puts downward pressure on collaboration by the most well funded offensive attackers.
Offense and Defense are becoming more automated. That is just the nature of cyber. We will all be talking about AI attacks/defense in the next few years as it will be the pivotal area of research. Tech is just the tool. Those who find a way to use the tools first and to the greatest effect, gain a significant advantage.
Skip the notion of absolute security. It is a marketing dream, not reality. In the real world we don't want to be impervious to attack (zero risk) as that would be far too expensive, unacceptably encumbering, and likely technically impossible anyways. That is not the goal. The real objective is to understand, attain, and sustain an 'optimal' level of security. This is where the costs, risks, and usability impacts are in the right balance for the organization. Risk is okay if it is understood, managed to the right level, and accepted by those responsible.