[dreamcompiler]

> It's about whether or not the target has plugged all their holes or not.

You're not exactly wrong, but you're assuming something that's impossible. How do you know where all the holes are? You (I'm using the generic you here, as though speaking to a CIO) cannot even inventory all the net-connected software and hardware you own, and even if you could the list would be out of date in 24 hours. But let's say you had that fictional inventory. How do you find its vulnerabilities? You might be able to design an automated process to look at your source code and match against the CVE database. Whoops! You don't have source code for most of your resources because they're proprietary and came from outside vendors. So maybe you look at object code. There are tools that do that. Whoops! A lot of the code is in ROM and you cannot extract it. Even if you could extract all your object code and analyze it against CVEs (which you can't), that's only going to catch known vulnerabilities. What about the unknown ones?

Oh and now we have to talk about all the stuff that's not net-connected which is vulnerable to employees plugging in USB drives...

So no, you can't know where all the holes are so there's no way to patch them all. This doesn't mean security is impossible. It just means there's no such thing as perfect security and there are no magic bullets. Security is a necessary, expensive, and mostly boring part of any company's day-to-day business operations, like, say, accounting and the legal department. But that's not quite right, because most of your employees probably don't need to know much about accounting or the law. But they do need to understand the basics of safe computer use, so ongoing training should be a fat budget line item.

Anyway security is a process, not a thing you can just buy a little of from a vendor. You ignore the security process at your peril.