Yeah, basically Same-Origin Policy (https://en.wikipedia.org/wiki/Same-origin_policy) was the part that increased security, as it prevented websites (in browsers) from making arbitrary requests to arbitrary 3rd party websites.

Cross-Origin Resource Sharing (https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) is one way to relax the Same-Origin Policy, so you essentially whitelist what actually can be shared across Origins. To be used when the default Same-Origin Policy is too strict.

Overall I think it's a really simple concept, but libraries/frameworks/docs seems to constantly over-complicate it with their explanations.

But the combination of the two reduces security in the same manner as absurd password requirements cause people to write down their passwords.

A strong security measure without a reliable way to do the things you want to do induces people to bypass the security altogether.

Security designers generally are ok with this because they consider usability or user behaviour to be not their responsibility.