[joeatwork]

The page doesn’t say it, but this is why adding redundant safety systems and defense in depth stops working after a while - such systems end up running with (acceptable, unobserved) “holes” after a while - the more complex the system, the harder it is to perceive the holes, until one day they line up and become very obvious indeed.

[mattlondon]

Well I think that actually this is the whole rationale for adding redundant safety systems: i.e. you are going to have "holes" even if you don't know it, so add another system and hopefully the holes don't line up. I don't think is is an argument for not adding more - if anything it is the opposite surely?

Obviously at some point you say enough is enough, no more cheese. I guess the nuance is how much cheese is enough.