It seems to me that the teacher meant that the protection measures should be adequate to the threat. Those. it is necessary to start designing a protection system from building a threat model and an intruder model, assessing the risks of violating the integrity, confidentiality and availability in this particular IS. And only then offer measures and means to minimize risks.
Often, we do everything through the ass, i.e. security policies are thoughtlessly composed, a pile of specials is purchased. software and hardware, nuts are tightened red-hot, and the object of protection at the same time is information about what the chief accountant's favorite aquarium fish eats for breakfast. Well, you understand?

Pardon the pun, but extra protection is never superfluous. I recommend that you clarify with the teacher - what he specifically meant by this "excessive" protection of information systems. Have him give detailed examples and keywords to search for.

There is one simple rule - the cost of protecting the system should not exceed the possible losses from its hacking, i.e. it makes no sense to fence a system worth 100 conventional rubles to protect information worth 10 rubles.

You basically need to write about it .
Only apply to protection systems.

Information security policy - almost finished text on our website